def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
username = request.query_params.get('username')
if username:
decoded = request.user.identity_header.get('decoded', {})
identity_username = decoded.get('identity',
{}).get('user',
{}).get('username')
return username == identity_username
else:
group_read = request.user.access.get('group',
{}).get('read', [])
if group_read:
return True
else:
group_write = request.user.access.get('group', {}).get('write', [])
if group_write:
return True
return False
def get_group_queryset(request):
"""Obtain the queryset for groups."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
if scope != ACCOUNT_SCOPE:
return get_object_principal_queryset(request, scope, Group)
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return Group.objects.annotate(principalCount=Count('principals', distinct=True),
policyCount=Count('policies', distinct=True))
if request.user.admin:
return Group.objects.annotate(principalCount=Count('principals', distinct=True),
policyCount=Count('policies', distinct=True))
username = request.query_params.get('username')
if username:
decoded = request.user.identity_header.get('decoded', {})
identity_username = decoded.get('identity', {}).get('user', {}).get('username')
if username != identity_username:
return Group.objects.none()
else:
return Group.objects.filter(principals__username=username)
access = request.user.access
access_op = 'read'
if request.method in ('POST', 'PUT'):
access_op = 'write'
res_list = access.get('group', {}).get(access_op, [])
if not res_list:
return Group.objects.none()
if '*' in res_list:
return Group.objects.annotate(principalCount=Count('principals', distinct=True),
policyCount=Count('policies', distinct=True))
return Group.objects.filter(uuid__in=res_list).annotate(principalCount=Count('principals', distinct=True),
policyCount=Count('policies', distinct=True))
def has_group_all_access(request):
"""Quick check to determine if a request should have access to all groups on a tenant."""
return (
ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool)
or request.user.admin
or (request.path == reverse("group-list") and request.method == "GET")
)
def _get_proxy_service(self): # pylint: disable=no-self-use
"""Get proxy service host and port info from environment."""
proxy_conn_info = {
PROTOCOL:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PROTOCOL",
default="https"),
HOST:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_HOST",
default="localhost"),
PORT:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PORT",
default="443"),
PATH:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PATH",
default="/r/insights-services"),
SOURCE_CERT:
ENVIRONMENT.bool("PRINCIPAL_PROXY_SERVICE_SOURCE_CERT",
default=False),
SSL_VERIFY:
ENVIRONMENT.bool("PRINCIPAL_PROXY_SERVICE_SSL_VERIFY",
default=True),
USER_ENV:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_USER_ENV", default="env"),
CLIENT_ID:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_CLIENT_ID",
default="client_id"),
API_TOKEN:
ENVIRONMENT.get_value("PRINCIPAL_PROXY_API_TOKEN",
default="token"),
}
return proxy_conn_info
def _get_proxy_service(self): # pylint: disable=no-self-use
"""Get proxy service host and port info from environment."""
proxy_conn_info = {
PROTOCOL:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PROTOCOL',
default='https'),
HOST:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_HOST',
default='localhost'),
PORT:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PORT',
default='443'),
PATH:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PATH',
default='/r/insights-services'),
SOURCE_CERT:
ENVIRONMENT.bool('PRINCIPAL_PROXY_SERVICE_SOURCE_CERT',
default=False),
SSL_VERIFY:
ENVIRONMENT.bool('PRINCIPAL_PROXY_SERVICE_SSL_VERIFY',
default=True),
USER_ENV:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_USER_ENV', default='env'),
CLIENT_ID:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_CLIENT_ID',
default='client_id'),
API_TOKEN:
ENVIRONMENT.get_value('PRINCIPAL_PROXY_API_TOKEN', default='token')
}
return proxy_conn_info
def get_role_queryset(request):
"""Obtain the queryset for roles."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
base_query = annotate_roles_with_counts(
Role.objects.prefetch_related("access"))
if scope != ACCOUNT_SCOPE:
queryset = get_object_principal_queryset(
request,
scope,
Role,
**{
"prefetch_lookups_for_ids": "access",
"prefetch_lookups_for_groups": "policies__roles"
},
)
return annotate_roles_with_counts(queryset)
username = request.query_params.get("username")
if username:
if username != request.user.username and not request.user.admin:
return Role.objects.none()
else:
queryset = get_object_principal_queryset(
request,
PRINCIPAL_SCOPE,
Role,
**{
"prefetch_lookups_for_ids": "access",
"prefetch_lookups_for_groups": "policies__roles"
},
)
return annotate_roles_with_counts(queryset)
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return base_query
if request.user.admin:
return base_query
access = request.user.access
access_op = "read"
if request.method in ("POST", "PUT"):
access_op = "write"
res_list = access.get("role", {}).get(access_op, [])
if not res_list:
return Role.objects.none()
if "*" in res_list:
return base_query
return base_query.filter(uuid__in=res_list)
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
role_read = request.user.access.get('role', {}).get('read', [])
if role_read:
return True
else:
role_write = request.user.access.get('role', {}).get('write', [])
if role_write:
return True
return False
def get_policy_queryset(request):
"""Obtain the queryset for policies."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
if scope != ACCOUNT_SCOPE:
return get_object_principal_queryset(request, scope, Policy)
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return Policy.objects.all()
if request.user.admin:
return Policy.objects.all()
access = user_has_perm(request, "policy")
if access == "All":
return Policy.objects.all()
if access == "None":
return Policy.objects.none()
return Policy.objects.filter(uuid__in=access)
def get_role_queryset(request):
"""Obtain the queryset for roles."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
if scope != ACCOUNT_SCOPE:
return get_object_principal_queryset(request, scope, Role)
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return Role.objects.annotate(policyCount=Count('policies', distinct=True))
if request.user.admin:
return Role.objects.annotate(policyCount=Count('policies', distinct=True))
access = request.user.access
access_op = 'read'
if request.method in ('POST', 'PUT'):
access_op = 'write'
res_list = access.get('role', {}).get(access_op, [])
if not res_list:
return Role.objects.none()
if '*' in res_list:
return Role.objects.annotate(policyCount=Count('policies', distinct=True))
return Role.objects.filter(uuid__in=res_list).annotate(policyCount=Count('policies', distinct=True))
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request):
return True
policy_read = request.user.access.get("policy", {}).get("read", [])
if policy_read:
return True
else:
policy_write = request.user.access.get("policy",
{}).get("write", [])
if policy_write:
return True
return False
def get_policy_queryset(request):
"""Obtain the queryset for policies."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
if scope != ACCOUNT_SCOPE:
return get_object_principal_queryset(request, scope, Policy)
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return Policy.objects.all()
if request.user.admin:
return Policy.objects.all()
access = request.user.access
access_op = "read"
if request.method in ("POST", "PUT"):
access_op = "write"
res_list = access.get("policy", {}).get(access_op, [])
if not res_list:
return Policy.objects.none()
if "*" in res_list:
return Policy.objects.all()
return Policy.objects.filter(uuid__in=res_list)
def get_policy_queryset(request):
"""Obtain the queryset for policies."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
if scope != ACCOUNT_SCOPE:
return get_object_principal_queryset(request, scope, Policy)
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return Policy.objects.all()
if request.user.admin:
return Policy.objects.all()
access = request.user.access
access_op = 'read'
if request.method in ('POST', 'PUT'):
access_op = 'write'
res_list = access.get('policy', {}).get(access_op, [])
if not res_list:
return Policy.objects.none()
if '*' in res_list:
return Policy.objects.all()
return Policy.objects.filter(uuid__in=res_list)
def get_role_queryset(request):
"""Obtain the queryset for roles."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
base_query = annotate_roles_with_counts(Role.objects.prefetch_related("access"))
if scope != ACCOUNT_SCOPE:
queryset = get_object_principal_queryset(
request,
scope,
Role,
**{"prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles"},
)
return annotate_roles_with_counts(queryset)
username = request.query_params.get("username")
if username:
if username != request.user.username and not request.user.admin:
return Role.objects.none()
else:
queryset = get_object_principal_queryset(
request,
PRINCIPAL_SCOPE,
Role,
**{"prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles"},
)
return annotate_roles_with_counts(queryset)
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return base_query
if request.user.admin:
return base_query
access = user_has_perm(request, "role")
if access == "All":
return base_query
if access == "None":
return Role.objects.none()
return annotate_roles_with_counts(Role.objects.filter(uuid__in=access))
def get_role_queryset(request):
"""Obtain the queryset for roles."""
scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE)
base_query = annotate_roles_with_counts(Role.objects.prefetch_related('access'))
if scope != ACCOUNT_SCOPE:
queryset = get_object_principal_queryset(request, scope, Role,
**{'prefetch_lookups_for_ids': 'access',
'prefetch_lookups_for_groups': 'policies__roles'})
return annotate_roles_with_counts(queryset)
username = request.query_params.get('username')
if username:
if username != request.user.username and not request.user.admin:
return Role.objects.none()
else:
queryset = get_object_principal_queryset(request, PRINCIPAL_SCOPE, Role,
**{'prefetch_lookups_for_ids': 'access',
'prefetch_lookups_for_groups': 'policies__roles'})
return annotate_roles_with_counts(queryset)
if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool):
return base_query
if request.user.admin:
return base_query
access = request.user.access
access_op = 'read'
if request.method in ('POST', 'PUT'):
access_op = 'write'
res_list = access.get('role', {}).get(access_op, [])
if not res_list:
return Role.objects.none()
if '*' in res_list:
return base_query
return base_query.filter(uuid__in=res_list)
def has_permission(self, request, view):
"""Check permission based on the defined access."""
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return True
if request.user.admin:
return True
if request.method in permissions.SAFE_METHODS:
if is_scope_principal(request) or request._request.path == reverse(
"group-list"):
return True
username = request.query_params.get("username")
if username:
return username == request.user.username
else:
group_read = request.user.access.get("group",
{}).get("read", [])
if group_read:
return True
else:
group_write = request.user.access.get("group", {}).get("write", [])
if group_write:
return True
return False
def has_permission(self, request, view):
"""Check permission based on Account Admin property."""
if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool):
return True
return request.user.admin