def get_policy_statements(self, request, view):
"""
Return the policy statements from an AccessPolicy instance matching the viewset name.
This is an implementation of a method that will be called by
`rest_access_policy.AccessPolicy`. See the drf-access-policy docs for more info:
https://rsinger86.github.io/drf-access-policy/loading_external_source/
The `pulpcore.plugin.models.AccessPolicy` instance is looked up by the `viewset_name`
attribute using::
AccessPolicyModel.objects.get(viewset_name=get_view_urlpattern(view))
Args:
request (rest_framework.request.Request): The request being checked for authorization.
view (subclass rest_framework.viewsets.GenericViewSet): The view name being requested.
Returns:
The access policy statements in drf-access-policy policy structure.
"""
access_policy_obj = AccessPolicyModel.objects.get(
viewset_name=get_view_urlpattern(view))
return access_policy_obj.statements
def get_policy_statements(self, request, view):
"""
Return the policy statements from an AccessPolicy instance matching the viewset name.
This is an implementation of a method that will be called by
`rest_access_policy.AccessPolicy`. See the drf-access-policy docs for more info:
https://rsinger86.github.io/drf-access-policy/loading_external_source/
The `pulpcore.plugin.models.AccessPolicy` instance is looked up by the `viewset_name`
attribute using::
AccessPolicyModel.objects.get(viewset_name=get_view_urlpattern(view))
If a matching `pulpcore.plugin.models.AccessPolicy` cannot be found, a default behavior of
allowing only admin users to perform any operation is used. This fallback allows the Pulp
RBAC implementation to be turned on endpoint-by-endpoint with less effort.
Args:
request (rest_framework.request.Request): The request being checked for authorization.
view (subclass rest_framework.viewsets.GenericViewSet): The view name being requested.
Returns:
The access policy statements in drf-access-policy policy structure.
"""
try:
viewset_name = get_view_urlpattern(view)
access_policy_obj = AccessPolicyModel.objects.get(viewset_name=viewset_name)
except (AccessPolicyModel.DoesNotExist, AttributeError, ProgrammingError):
default_statement = [{"action": "*", "principal": "admin", "effect": "allow"}]
policy = getattr(view, "DEFAULT_ACCESS_POLICY", {"statements": default_statement})
return policy["statements"]
else:
return access_policy_obj.statements
def _populate_access_policies(sender, apps, verbosity, **kwargs):
from pulpcore.app.util import get_view_urlpattern
try:
AccessPolicy = apps.get_model("core", "AccessPolicy")
except LookupError:
if verbosity >= 1:
print(
_("AccessPolicy model does not exist. Skipping initialization."
))
return
for viewset_batch in sender.named_viewsets.values():
for viewset in viewset_batch:
access_policy = getattr(viewset, "DEFAULT_ACCESS_POLICY", None)
if access_policy is not None:
viewset_name = get_view_urlpattern(viewset)
_rename_permissions_assignment_workaround(
access_policy, viewset)
db_access_policy, created = AccessPolicy.objects.get_or_create(
viewset_name=viewset_name, defaults=access_policy)
if created:
if verbosity >= 1:
print(
_("Access policy for {viewset_name} created.").
format(viewset_name=viewset_name))
if not created and not db_access_policy.customized:
for key, value in access_policy.items():
setattr(db_access_policy, key, value)
db_access_policy.save()
if verbosity >= 1:
print(
_("Access policy for {viewset_name} updated.").
format(viewset_name=viewset_name))
def _populate_access_policies(sender, **kwargs):
from pulpcore.app.util import get_view_urlpattern
print(f"Initialize missing access policies for {sender.label}.")
apps = kwargs.get("apps")
if apps is None:
from django.apps import apps
AccessPolicy = apps.get_model("core", "AccessPolicy")
for viewset_batch in sender.named_viewsets.values():
for viewset in viewset_batch:
access_policy = getattr(viewset, "DEFAULT_ACCESS_POLICY", None)
if access_policy is not None:
AccessPolicy.objects.get_or_create(
viewset_name=get_view_urlpattern(viewset),
defaults=access_policy)
def _populate_access_policies(sender, **kwargs):
from pulpcore.app.util import get_view_urlpattern
apps = kwargs.get("apps")
if apps is None:
from django.apps import apps
AccessPolicy = apps.get_model("core", "AccessPolicy")
for viewset_batch in sender.named_viewsets.values():
for viewset in viewset_batch:
access_policy = getattr(viewset, "DEFAULT_ACCESS_POLICY", None)
if access_policy is not None:
viewset_name = get_view_urlpattern(viewset)
db_access_policy, created = AccessPolicy.objects.get_or_create(
viewset_name=viewset_name, defaults=access_policy)
if created:
print(f"Access policy for {viewset_name} created.")
if not created and not db_access_policy.customized:
for key, value in access_policy.items():
setattr(db_access_policy, key, value)
db_access_policy.save()
print(f"Access policy for {viewset_name} updated.")
def reset(self, request, pk=None):
"""
Reset the access policy to its uncustomized default value.
"""
access_policy = self.get_object()
for plugin_config in pulp_plugin_configs():
for viewset_batch in plugin_config.named_viewsets.values():
for viewset in viewset_batch:
if get_view_urlpattern(
viewset) == access_policy.viewset_name:
default_access_policy = viewset.DEFAULT_ACCESS_POLICY
access_policy.statements = default_access_policy[
"statements"]
access_policy.creation_hooks = default_access_policy.get(
"creation_hooks") or default_access_policy.get(
"permissions_assignment")
access_policy.customized = False
access_policy.save()
serializer = AccessPolicySerializer(
access_policy, context={"request": request})
return Response(serializer.data)
raise RuntimeError("Viewset for access policy was not found.")