Esempio n. 1
0
    def alter_detail_data_to_serialize(self, request, data):
        helper = getattr(self._meta, "iam_resource_helper", None)
        if not helper:
            return data

        bundle = data

        # 1. get resources
        resources = helper.get_resources(bundle)

        # 2. make request
        request = MultiActionRequest(
            helper.system,
            helper.get_subject_for_alter_detail(request, data),
            [Action(action) for action in helper.actions],
            resources,
            helper.get_environment_for_alter_detail(request, data),
        )

        actions_allowed = helper.iam.resource_multi_actions_allowed(request)
        logger.debug(
            "tastypie alter_detail_data_to_serialize resource_multi_actions_allowed request({}) result: {}".format(
                request.to_dict(), actions_allowed
            )
        )

        # 3. assemble action allowed data
        bundle.data["auth_actions"] = [action for action, allowed in actions_allowed.items() if allowed]

        return data
Esempio n. 2
0
    def iam_get_instance_auth_actions(self, request, instance):
        helper = getattr(self, "iam_resource_helper", None)
        if not helper:
            return None

        # 1. get resources
        resources = helper.get_resources(instance)

        # 2. make request
        request = MultiActionRequest(
            helper.system,
            helper.get_subject_for_alter_detail(request, instance),
            [Action(action) for action in helper.actions],
            resources,
            helper.get_environment_for_alter_detail(request, instance),
        )

        actions_allowed = helper.iam.resource_multi_actions_allowed(request)
        iam_logger.debug(
            "[drf iam_get_instance_auth_actions] resource_multi_actions_allowed request({}) result: {}"
            .format(request.to_dict(), actions_allowed))

        # 3. assemble action allowed data
        auth_actions = [
            action for action, allowed in actions_allowed.items() if allowed
        ]

        return auth_actions
Esempio n. 3
0
def get_resources_allowed_actions_for_user(username, system_id, actions, resources_list):
    subject = Subject("user", username)
    actions = [Action(act) for act in actions]
    request = MultiActionRequest(system_id, subject, actions, [], {})

    iam = get_iam_client()
    return iam.batch_resource_multi_actions_allowed(request, resources_list)
Esempio n. 4
0
    def resource_inst_multi_actions_allowed(self, username, actions_ids,
                                            resource_id):
        resource = Resource(settings.APP_ID, self.resource_type_id,
                            resource_id, {})
        actions = [Action(action_id) for action_id in actions_ids]

        request = MultiActionRequest(settings.APP_ID,
                                     Subject("user", username), actions,
                                     [resource], None)
        return self.iam.resource_multi_actions_allowed(request)
Esempio n. 5
0
 def batch_resource_multi_actions_allowed(
     self, username: str, action_ids: List[str], resources: List[Resource]
 ) -> Dict[str, Dict[str, bool]]:
     """
     判断用户对某些资源是否具有多个指定操作的权限. 当前sdk仅支持同类型的资源
     :return 示例 {'0ad86c25363f4ef8adcb7ac67a483837': {'project_view': True, 'project_edit': False}}
     """
     actions = [Action(action_id) for action_id in action_ids]
     request = MultiActionRequest(settings.BK_IAM_SYSTEM_ID, Subject("user", username), actions, [], None)
     resources_list = [[res] for res in resources]
     return self.iam.batch_resource_multi_actions_allowed(request, resources_list)
Esempio n. 6
0
    def resource_inst_multi_actions_allowed(
        self, username: str, action_ids: List[str], resources: List[Resource]
    ) -> Dict[str, bool]:
        """
        判断用户对某个(单个)资源实例是否具有多个操作的权限.
        note: 权限判断与资源实例有关,如更新某个具体资源

        :return 示例 {'project_view': True, 'project_edit': False}
        """
        actions = [Action(action_id) for action_id in action_ids]
        request = MultiActionRequest(settings.BK_IAM_SYSTEM_ID, Subject("user", username), actions, resources, None)
        return self.iam.resource_multi_actions_allowed(request)
Esempio n. 7
0
    def iam_get_instances_auth_actions(self, request, instances):
        helper = getattr(self, "iam_resource_helper", None)
        if not helper:
            return None

        # 1. collect resources
        resources_list = []
        for instance in instances:
            resources_list.append(helper.get_resources(instance))

        if not resources_list:
            return None

        # 2. make request
        request = MultiActionRequest(
            helper.system,
            helper.get_subject_for_alter_list(request, instances),
            [Action(action) for action in helper.actions],
            [],
            helper.get_environment_for_alter_list(request, instances),
        )

        resource_actions_allowed = helper.iam.batch_resource_multi_actions_allowed(
            request, resources_list)
        iam_logger.debug(
            "[drf iam_get_instances_auth_actions] batch_resource_multi_actions_allowed request({}) result: {}"
            .format(request.to_dict(), resource_actions_allowed))

        # 3. assemble action allowed data
        auth_actions = dict()
        for instance in instances:
            rid = str(helper.get_resources_id(instance))
            auth_actions[instance.id] = [
                action for action, allowed in resource_actions_allowed.get(
                    rid, {}).items() if allowed
            ]

        return auth_actions
Esempio n. 8
0
    def alter_list_data_to_serialize(self, request, data):
        helper = getattr(self._meta, "iam_resource_helper", None)
        if not helper:
            return data

        # 1. collect resources
        resources_list = []
        for bundle in data["objects"]:
            resources_list.append(helper.get_resources(bundle))

        if not resources_list:
            return data

        # 2. make request
        request = MultiActionRequest(
            helper.system,
            helper.get_subject_for_alter_list(request, data),
            [Action(action) for action in helper.actions],
            [],
            helper.get_environment_for_alter_list(request, data),
        )

        resource_actions_allowed = helper.iam.batch_resource_multi_actions_allowed(request, resources_list)
        logger.debug(
            "tastypie alter_list_data_to_serialize batch_resource_multi_actions_allowed request({}) result: {}".format(
                request.to_dict(), resource_actions_allowed
            )
        )

        # 3. assemble action allowed data
        for bundle in data["objects"]:
            rid = str(helper.get_resources_id(bundle))
            bundle.data["auth_actions"] = [
                action for action, allowed in resource_actions_allowed.get(rid, {}).items() if allowed
            ]

        return data
Esempio n. 9
0
    def batch_resource_multi_actions_allowed(self, username, actions_ids,
                                             resource_ids):
        actions = [Action(action_id) for action_id in actions_ids]
        request = MultiActionRequest(settings.APP_ID,
                                     Subject("user",
                                             username), actions, [], None)
        resources = []
        for resource_id in resource_ids:
            resources.append([
                Resource(settings.APP_ID, self.resource_type_id, resource_id,
                         {})
            ])

        return self.iam.batch_resource_multi_actions_allowed(
            request, resources)