Exemple #1
0
 def testModelsForUserRoleAssignment(self):
     # note -- we may also keep roles in AD, this is for the case
     # where we sync them or manage them internally.  This will
     # probably need to be configurable
     user1 = usersmodels.User(
         user_name = "test",
         full_name = "test"
     )
     user1.save()
     role1 = models.RbacRole(
          name='sysadmin',
          created_by=usersmodels.User.objects.get(user_name='admin'),
          modified_by=usersmodels.User.objects.get(user_name='admin')
     )
     role1.save()
     role1 = models.RbacRole.objects.get(name='sysadmin')
     mapping = models.RbacUserRole(
         user = user1,
         role = role1,
         created_by=usersmodels.User.objects.get(user_name='admin'),
         modified_by=usersmodels.User.objects.get(user_name='admin'),
         created_date=timeutils.now(),
         modified_date=timeutils.now()
     )
     mapping.save()
     mappings2  = models.RbacUserRole.objects.filter(
         user = user1,
     )
     self.assertEquals(len(mappings2), 1, 'correct length')
     found = mappings2[0]
     self.assertEquals(found.user.user_name, 'test', 'saved ok')
     self.assertEquals(found.role.name, 'sysadmin', 'saved ok')
Exemple #2
0
    def testModelsForRbacRoles(self):
        '''verify django models for roles work'''

        sysadmin = models.RbacRole(
            name='sysadmin',
            created_by=usersmodels.User.objects.get(user_name='admin'),
            modified_by=usersmodels.User.objects.get(user_name='admin'),
            created_date=timeutils.now(),
            modified_date=timeutils.now(),
        )
        sysadmin.save()
        developer = models.RbacRole(
            name='developer',
            created_by=usersmodels.User.objects.get(user_name='admin'),
            modified_by=usersmodels.User.objects.get(user_name='admin'),
            created_date=timeutils.now(),
            modified_date=timeutils.now()
        )
        developer.save()

        self.assertEquals(len(models.RbacRole.objects.all()), 3,
            'correct number of results'
        )

        developer2 = models.RbacRole.objects.get(name='developer')
        self.assertEquals(developer2.pk, 3)
Exemple #3
0
    def _setupRbac(self):

        # RbacEngine test base class has already done a decent amount of setup
        # now just add the grants for the things we are working with

        role              = rbacmodels.RbacRole.objects.get(name='developer')
        self.all_projects = querymodels.QuerySet.objects.get(name='All Projects')
        self.all_images   = querymodels.QuerySet.objects.get(name='All Images')
        modmembers        = rbacmodels.RbacPermissionType.objects.get(name='ModMembers')
        readset           = rbacmodels.RbacPermissionType.objects.get(name='ReadSet')
        createresource    = rbacmodels.RbacPermissionType.objects.get(name='CreateResource')
        admin             = usermodels.User.objects.get(user_name='admin')

        for queryset in [ self.all_projects, self.all_images ]:
            for permission in [ modmembers, createresource, readset  ]:
                rbacmodels.RbacPermission(
                    queryset      = queryset,
                    role          = role,
                    permission    = permission,
                    created_by    = admin,
                    modified_by   = admin,
                    created_date  = timeutils.now(),
                    modified_date = timeutils.now()
                ).save()

        self._retagQuerySets()
Exemple #4
0
 def mk_permission(queryset, role, action):
     models.RbacPermission(
         queryset      = queryset,
         role          = models.RbacRole.objects.get(name=role),
         permission    = models.RbacPermissionType.objects.get(name=action),
         created_by    = usersmodels.User.objects.get(user_name='admin'),
         modified_by   = usersmodels.User.objects.get(user_name='admin'),
         created_date  = timeutils.now(),
         modified_date = timeutils.now()
     ).save()
Exemple #5
0
    def addQuerySetChosen(self, querySetId, resources, by_user):
        '''
        Add a list of matched systems to a chosen query set result list.
        Deletes all previous matches.
        '''
        # TODO: update transitive items
        querySet = self._querySet(querySetId)
        resources_out = getattr(resources, querySet.resource_type)

        if len(resources_out) > 0:
            t1 = resources_out[0]._xobj.tag
            t2 = querySet.resource_type
            if t1 != t2:
                raise Exception("attempting to add an object of the wrong type (%s vs %s)" % (t1, t2))

        # Delete all previously tagged resources
        tagModel = modellib.type_map[self.tagModelMap[querySet.resource_type]]
        tagModel.objects.filter(
            query_set=querySet,
            inclusion_method=self._chosenMethod(),
        ).delete()

        # Tag new resources
        tagMethod = self._tagMethod(querySet)
        tagMethod(resources_out, querySet, self._chosenMethod())

        update_args = dict(modified_date=timeutils.now())
        if querySet.modified_by != by_user:
            update_args['modified_by'] = by_user
        models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args)

        return self.getQuerySetChosenResult(querySet)
Exemple #6
0
    def updateQuerySetChosen(self, querySetId, resource, by_user):
        '''
        Add a resource explicitly to the query set match results.
        It must be of the same collection type, querysets are not
        heterogeneous.
        '''

        querySet = self._querySet(querySetId)
        # we do not update the queryset tag date here because it could
        # still be stale with respect to child or filtered results
        tagMethod = self._tagMethod(querySet)
        # if we support tagging this resource type yet
        # then tag it, otherwise, basically no-op.

        t1 = resource._xobj.tag
        t2 = querySet.resource_type
        if t1 != t2:
            raise Exception("attempting to add an object of the wrong type (%s vs %s)" % (t1, t2))

        if tagMethod is not None:
            tagMethod([resource], querySet, self._chosenMethod())

        update_args = dict(modified_date=timeutils.now())
        if querySet.modified_by != by_user:
            update_args['modified_by'] = by_user
        models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args)

        return self.getQuerySetChosenResult(querySetId)
Exemple #7
0
    def updateQuerySet(self, querySet, by_user):
        '''edit a query set'''
        if not querySet.can_modify:
            raise errors.QuerySetReadOnly(querySetName=querySet.name)
        querySet.tagged_date = None

        # in case the filter terms changed, evaluate queryset and
        # all parents so they can contain accurate membership.  Transitive
        # tags must be applied on each so RBAC will be up to date
        # this will probably be slow, but likely infrequent.

        to_update = querySet.ancestors()
        to_update.append(querySet)
        for qs in to_update:
            qsAllResult = self._getQuerySetAllResult(qs)
            self._tagSingleQuerySetTransitive(qs, qsAllResult)
            self._updateQuerySetTaggedDate(qs)
            self.getQuerySetAllResult(qs, use_tags=False)

            # update tag info
            update_args = dict(modified_date=timeutils.now())
            if qs.modified_by != by_user:
                update_args['modified_by'] = by_user
            models.QuerySet.objects.filter(pk=qs.pk).update(**update_args)

        self._recomputeStatic(querySet)
        querySet.save()
        return querySet
Exemple #8
0
 def deleteQuerySetChild(self, querySetId, queryset, for_user):
     '''
     Remove a child queryset from a queryset
     '''
     source = self._querySet(querySetId)
     source.children.remove(queryset)
     source.modified_by = for_user
     source.modified_date = timeutils.now()
     source.save()
     return source
Exemple #9
0
 def updateRbacRole(self, old_id, role, by_user):
     oldRoleId = role.oldModel.xpath("./role_id/text()")[0]
     old_obj = models.RbacRole.objects.get(pk=oldRoleId)
     role.created_by = old_obj.created_by
     if old_obj.created_date is None:
         raise Exception("ERROR: invalid previous object?")
     role.created_date = old_obj.created_date
     role.modified_date = timeutils.now()
     role.modified_by = by_user
     role.save()
     self.mgr.invalidateQuerySetsByType("role")
     return role
Exemple #10
0
 def updateRbacPermission(self, old_id, permission, by_user):
     oldGrantId = permission.oldModel.xpath("./grant_id/text()")[0]
     old_obj = models.RbacPermission.objects.get(pk=oldGrantId)
     if old_obj.created_date is None:
         raise Exception("ERROR: invalid previous object?")
     permission.created_by = old_obj.created_by
     permission.created_date = old_obj.created_date
     permission.modified_date = timeutils.now()
     permission.modified_by = by_user
     permission.save()
     self.mgr.invalidateQuerySetsByType("grant")
     return permission
Exemple #11
0
 def updateSystem(self, system, for_user=None):
     last_job = getattr(system, 'lastJob', None)
     if last_job and last_job.job_state.name == jobmodels.JobState.COMPLETED:
         # This will update the system state as a side-effect
         self.addSystem(system, generateCertificates=False,
             withRetagging=False)
     self.setSystemStateFromJob(system)
     if for_user:
         system.modified_by = for_user
     system.modified_date = timeutils.now()
     system.save()
     self.mgr.invalidateQuerySetsByType('system')
     return system
Exemple #12
0
    def setUp(self):
        RbacEngine.setUp(self)
        mock.mock(reposmanager.ReposManager, "createRepositoryForProject")
        mock.mock(reposmanager.ReposManager, "createSourceTrove")
        MockProdDef = mock.MockObject()
        MockProdDef.getImageGroup._mock.setReturn("group-foo-appliance")
        MockProdDef.loadFromRepository._mock.setReturn(MockProdDef)
        # Discard mock at the end of the test
        self.mock(basemanager.BaseRbuilderManager, "restDb", mock.MockObject())
        basemanager.BaseRbuilderManager.restDb.getProductVersionDefinitionFromVersion._mock.setDefaultReturn(MockProdDef)
        mock.mock(manager.ProjectManager, "setProductVersionDefinition")
        self.mgr = rbuildermanager.RbuilderManager()
        self.mintConfig = self.mgr.cfg

        # add sysadmin user with permission to "All Projects" and "All Project Branch Stages"
        # developer user does NOT have access to these .. skipping XML versions here as these
        # are well covered in rbac/tests.py

        role              = rbacmodels.RbacRole.objects.get(name='developer')
        self.all_projects = querymodels.QuerySet.objects.get(name='All Projects')
        self.all_pbs      = querymodels.QuerySet.objects.get(name='All Project Stages')
        modmembers        = rbacmodels.RbacPermissionType.objects.get(name='ModMembers')
        createresource    = rbacmodels.RbacPermissionType.objects.get(name='CreateResource')
        admin             = usersmodels.User.objects.get(user_name='admin')

        for queryset in [ self.all_projects, self.all_pbs ]:
            for permission in [ modmembers, createresource  ]:
                rbacmodels.RbacPermission(
                    queryset      = queryset,
                    role          = role,
                    permission    = permission,
                    created_by    = admin,
                    modified_by   = admin,
                    created_date  = timeutils.now(),
                    modified_date = timeutils.now()
                ).save()

        self._retagQuerySets()
Exemple #13
0
    def testModelsForRbacPermissions(self):

        size = len(list(querymodels.QuerySet.objects.all()))

        # TODO: load from queryset fixture?
        queryset1 = querymodels.QuerySet()
        queryset1.save()

        role1    = models.RbacRole(
            name='sysadmin',
            created_by=usersmodels.User.objects.get(user_name='admin'),
            modified_by=usersmodels.User.objects.get(user_name='admin'),
            created_date=timeutils.now(),
            modified_date=timeutils.now()
        )
        role1.save()
        role1    = models.RbacRole.objects.get(name='sysadmin')
        action_name = MODSETDEF
        permission = models.RbacPermission(
           queryset        = queryset1,
           role            = role1,
           permission      = models.RbacPermissionType.objects.get(name=action_name),
           created_by=usersmodels.User.objects.get(user_name='admin'),
           modified_by=usersmodels.User.objects.get(user_name='admin'),
           created_date=timeutils.now(),
           modified_date=timeutils.now()
        )
        permission.save()
        permissions2 = models.RbacPermission.objects.filter(
           queryset = queryset1,
        )
        self.assertEquals(len(permissions2), 1, 'correct length')
        found = permissions2[0]
        self.assertEquals(found.permission.name, action_name, 'saved ok')
        self.assertEquals(found.queryset.pk, size+1, 'saved ok')
        self.assertEquals(found.role.name, 'sysadmin', 'saved ok')
Exemple #14
0
    def setUp(self):
        RbacTestCase.setUp(self)

        self.seed_data = [ 'sysadmin', 'developer', 'intern' ]
        for item in self.seed_data:
            models.RbacRole(name=item,
                created_by  = usersmodels.User.objects.get(user_name='admin'),
                modified_by = usersmodels.User.objects.get(user_name='admin'),
                created_date  = timeutils.now(),
                modified_date = timeutils.now()
            ).save()

        for permission in [ MODMEMBERS, CREATERESOURCE ] :
            models.RbacPermission(
                queryset      = self.datacenter_queryset,
                role          = models.RbacRole.objects.get(name='sysadmin'),
                permission    = models.RbacPermissionType.objects.get(name=permission),
                created_by    = usersmodels.User.objects.get(user_name='admin'),
                modified_by   = usersmodels.User.objects.get(user_name='admin'),
                created_date  = timeutils.now(),
                modified_date = timeutils.now()
            ).save()
        models.RbacPermission(
            queryset       = self.datacenter_queryset,
            role           = models.RbacRole.objects.get(name='developer'),
            permission     = models.RbacPermissionType.objects.get(name=READMEMBERS),
            created_by     = usersmodels.User.objects.get(user_name='admin'),
            modified_by    = usersmodels.User.objects.get(user_name='admin'),
            created_date  = timeutils.now(),
            modified_date = timeutils.now()
        ).save()

        for permission in [ MODMEMBERS, CREATERESOURCE ] :
            models.RbacPermission(
                queryset       = self.lab_queryset,
                role           = models.RbacRole.objects.get(name='developer'),
                permission     = models.RbacPermissionType.objects.get(name=permission),
                created_by     = usersmodels.User.objects.get(user_name='admin'),
                modified_by    = usersmodels.User.objects.get(user_name='admin'),
                created_date  = timeutils.now(),
                modified_date = timeutils.now()
            ).save()
Exemple #15
0
    def deleteQuerySetChosen(self, querySetId, resource, by_user):
        '''
        Remove a resource from a queryset chosen result.
        '''
        # TODO: if for this querySet I'm marked chosen but NOT filtered
        # set the tagged_date back to NULL so it will be retagged next time
        querySet = self._querySet(querySetId)
        tagModel = modellib.type_map[self.tagModelMap[querySet.resource_type]]
        taggedField = getattr(tagModel, 'tagged_field', querySet.resource_type)
        resourceArg = {taggedField:resource}
        tagModels = tagModel.objects.filter(query_set=querySet,
            inclusion_method=self._chosenMethod(), **resourceArg)
        tagModels.delete()

        update_args = dict(modified_date=timeutils.now())
        if querySet.modified_by != by_user:
            update_args['modified_by'] = by_user
        models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args)

        return self.getQuerySetChosenResult(querySetId)
Exemple #16
0
    def testGrantMatrixForNewRole(self):
        # RCE-1444
        models.RbacRole.objects.create(
            name='guru',
            created_by=usersmodels.User.objects.get(user_name='admin'),
            modified_by=usersmodels.User.objects.get(user_name='admin'),
            created_date=timeutils.now(),
            modified_date=timeutils.now()
        )
        response = self._get("query_sets/%s/grant_matrix" %
                self.targets_queryset.pk,
            username='******',
            password='******'
        )
        self.assertEquals(response.status_code, 200)
        # XXX misa: I am not sure if this output is right, but there was
        # no test and the code is really horrible
        self.assertXMLEquals(response.content, """\
<roles count="4" end_index="3" filter_by="" full_collection="" id="http://testserver/api/v1/rbac/roles" limit="999999" next_page="0" num_pages="1" order_by="" per_page="4" previous_page="0" start_index="0">
  <role>
    <createresource_permission>
      <description>Create Resource</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id>
      <name>CreateResource</name>
      <permission_id>5</permission_id>
    </createresource_permission>
    <description/>
    <matrix_role_id>http://testserver/api/v1/rbac/roles/2</matrix_role_id>
    <modmembers_permission>
      <description>Modify Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id>
      <name>ModMembers</name>
      <permission_id>2</permission_id>
    </modmembers_permission>
    <modsetdef_permission>
      <description>Modify Set Definition</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id>
      <name>ModSetDef</name>
      <permission_id>4</permission_id>
    </modsetdef_permission>
    <name>sysadmin</name>
    <readmembers_permission>
      <description>Read Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id>
      <name>ReadMembers</name>
      <permission_id>1</permission_id>
    </readmembers_permission>
    <readset_permission>
      <description>Read Set</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id>
      <name>ReadSet</name>
      <permission_id>3</permission_id>
    </readset_permission>
    <role_id>2</role_id>
  </role>
  <role>
    <createresource_permission>
      <description>Create Resource</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id>
      <name>CreateResource</name>
      <permission_id>5</permission_id>
    </createresource_permission>
    <description/>
    <matrix_role_id>http://testserver/api/v1/rbac/roles/3</matrix_role_id>
    <modmembers_permission>
      <description>Modify Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id>
      <name>ModMembers</name>
      <permission_id>2</permission_id>
    </modmembers_permission>
    <modsetdef_permission>
      <description>Modify Set Definition</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id>
      <name>ModSetDef</name>
      <permission_id>4</permission_id>
    </modsetdef_permission>
    <name>developer</name>
    <readmembers_permission>
      <description>Read Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id>
      <name>ReadMembers</name>
      <permission_id>1</permission_id>
    </readmembers_permission>
    <readset_permission>
      <description>Read Set</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id>
      <name>ReadSet</name>
      <permission_id>3</permission_id>
    </readset_permission>
    <role_id>3</role_id>
  </role>
  <role>
    <createresource_permission>
      <description>Create Resource</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id>
      <name>CreateResource</name>
      <permission_id>5</permission_id>
    </createresource_permission>
    <description/>
    <matrix_role_id>http://testserver/api/v1/rbac/roles/4</matrix_role_id>
    <modmembers_permission>
      <description>Modify Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id>
      <name>ModMembers</name>
      <permission_id>2</permission_id>
    </modmembers_permission>
    <modsetdef_permission>
      <description>Modify Set Definition</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id>
      <name>ModSetDef</name>
      <permission_id>4</permission_id>
    </modsetdef_permission>
    <name>intern</name>
    <readmembers_permission>
      <description>Read Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id>
      <name>ReadMembers</name>
      <permission_id>1</permission_id>
    </readmembers_permission>
    <readset_permission>
      <description>Read Set</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id>
      <name>ReadSet</name>
      <permission_id>3</permission_id>
    </readset_permission>
    <role_id>4</role_id>
  </role>
  <role>
    <createresource_permission>
      <description>Create Resource</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id>
      <name>CreateResource</name>
      <permission_id>5</permission_id>
    </createresource_permission>
    <description/>
    <matrix_role_id>http://testserver/api/v1/rbac/roles/8</matrix_role_id>
    <modmembers_permission>
      <description>Modify Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id>
      <name>ModMembers</name>
      <permission_id>2</permission_id>
    </modmembers_permission>
    <modsetdef_permission>
      <description>Modify Set Definition</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id>
      <name>ModSetDef</name>
      <permission_id>4</permission_id>
    </modsetdef_permission>
    <name>guru</name>
    <readmembers_permission>
      <description>Read Member Resources</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id>
      <name>ReadMembers</name>
      <permission_id>1</permission_id>
    </readmembers_permission>
    <readset_permission>
      <description>Read Set</description>
      <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id>
      <name>ReadSet</name>
      <permission_id>3</permission_id>
    </readset_permission>
    <role_id>8</role_id>
  </role>
</roles>
""")
Exemple #17
0
 def _updateQuerySetTaggedDate(self, querySet):
     models.QuerySet.objects.filter(pk=querySet.pk).update(tagged_date=timeutils.now())