def test_webaccess_firerole_serialization(self):
"""webaccess - firerole role definition correctly serialized"""
from invenio.modules.access.control import acc_get_role_definition
from invenio.modules.access.firerole import compile_role_definition, \
deserialize
def_ser = compile_role_definition(self.role_definition)
tmp_def_ser = acc_get_role_definition(self.role_id)
self.assertEqual(def_ser, deserialize(tmp_def_ser))
def test_webaccess_firerole_serialization(self):
"""webaccess - firerole role definition correctly serialized"""
from invenio.modules.access.control import acc_get_role_definition
from invenio.modules.access.firerole import compile_role_definition, \
deserialize
def_ser = compile_role_definition(self.role_definition)
tmp_def_ser = acc_get_role_definition(self.role_id)
self.assertEqual(def_ser, deserialize(tmp_def_ser))
def do_upgrade():
"""Implement your upgrades here."""
from invenio.modules.accounts.models import User
from invenio.modules.editor.models import Bibdoc
from invenio.modules.access.firerole import compile_role_definition
# Update fireroles.
Bibdoc.query.filter_by(status='firerole: allow any').update(
dict(status='')
)
# Migrate from email to uid.
updates = []
for d in Bibdoc.query.filter(Bibdoc.status.like("firerole:%")):
firerole = d.status[len("firerole:"):].strip()
default_p, roles = compile_role_definition(firerole)
lines = []
for allow_p, not_p, field, exp in roles:
line = []
line.append("allow" if allow_p else "deny")
if not_p:
line.append("not")
# Rewrite from email into using uid.
if field == 'email' and len(exp) == 1:
email = exp[0][1]
try:
u = User.query.filter_by(email=email).one()
line.append('uid')
line.append('"%s"' % u.id)
lines.append(" ".join(line))
continue
except Exception:
warnings.warn("Can't find user for email %s" % email)
line.append(field)
for reg, value in exp:
if isinstance(value, basestring):
line.append('"%s"' % value)
elif isinstance(value, float):
line.append('"%s"' % time.strftime(
"%Y-%m-%d",
time.localtime(value)
))
else:
raise RuntimeError("Can't create line for %s" % exp)
lines.append(" ".join(line))
lines.append("allow any" if default_p else "deny all")
new_firerole = "\n".join(lines)
if firerole != new_firerole:
updates.append((d.id, "firerole: %s" % new_firerole))
for docid, status in updates:
Bibdoc.query.filter_by(id=docid).update(dict(status=status))
def setUp(self):
"""Create a fake role."""
from invenio.modules.access.control import acc_add_role
from invenio.modules.access.firerole import compile_role_definition, \
serialize
self.role_name = 'test'
self.role_description = 'test role'
self.role_definition = 'allow email /.*@cern.ch/'
self.role_id, dummy, dummy, dummy = acc_add_role(self.role_name,
self.role_description,
serialize(compile_role_definition(self.role_definition)),
self.role_definition)
def setUp(self):
"""Create a fake role."""
from invenio.modules.access.control import acc_add_role
from invenio.modules.access.firerole import compile_role_definition, \
serialize
self.role_name = 'test'
self.role_description = 'test role'
self.role_definition = 'allow email /.*@cern.ch/'
self.role_id, dummy, dummy, dummy = acc_add_role(
self.role_name, self.role_description,
serialize(compile_role_definition(self.role_definition)),
self.role_definition)
def do_upgrade():
"""Implement your upgrades here."""
from invenio.modules.accounts.models import User
from invenio.modules.editor.models import Bibdoc
from invenio.modules.access.firerole import compile_role_definition
# Update fireroles.
Bibdoc.query.filter_by(status='firerole: allow any').update(
dict(status=''))
# Migrate from email to uid.
updates = []
for d in Bibdoc.query.filter(Bibdoc.status.like("firerole:%")):
firerole = d.status[len("firerole:"):].strip()
default_p, roles = compile_role_definition(firerole)
lines = []
for allow_p, not_p, field, exp in roles:
line = []
line.append("allow" if allow_p else "deny")
if not_p:
line.append("not")
# Rewrite from email into using uid.
if field == 'email' and len(exp) == 1:
email = exp[0][1]
try:
u = User.query.filter_by(email=email).one()
line.append('uid')
line.append('"%s"' % u.id)
lines.append(" ".join(line))
continue
except Exception:
warnings.warn("Can't find user for email %s" % email)
line.append(field)
for reg, value in exp:
if isinstance(value, basestring):
line.append('"%s"' % value)
elif isinstance(value, float):
line.append(
'"%s"' %
time.strftime("%Y-%m-%d", time.localtime(value)))
else:
raise RuntimeError("Can't create line for %s" % exp)
lines.append(" ".join(line))
lines.append("allow any" if default_p else "deny all")
new_firerole = "\n".join(lines)
if firerole != new_firerole:
updates.append((d.id, "firerole: %s" % new_firerole))
for docid, status in updates:
Bibdoc.query.filter_by(id=docid).update(dict(status=status))
def save_acl(self, c):
# Role - use Community id, because role name is limited to 32 chars.
role_name = 'project_role_%s' % self.id
role = AccROLE.query.filter_by(name=role_name).first()
if not role:
rule = 'allow group "%s"\ndeny any' % self.get_group_name()
role = AccROLE(name=role_name,
description='Owner of project %s' % self.title,
firerole_def_ser=serialize(
compile_role_definition(rule)),
firerole_def_src=rule)
db.session.add(role)
# Argument
fields = dict(keyword='collection', value=c.name)
arg = AccARGUMENT.query.filter_by(**fields).first()
if not arg:
arg = AccARGUMENT(**fields)
db.session.add(arg)
# Action
action = AccACTION.query.filter_by(name='viewrestrcoll').first()
# User role
alluserroles = UserAccROLE.query.filter_by(role=role).all()
userrole = None
if alluserroles:
# Remove any user which is not the owner
for ur in alluserroles:
if ur.id_user == self.id_user:
db.session.delete(ur)
else:
userrole = ur
if not userrole:
userrole = UserAccROLE(id_user=self.id_user, role=role)
db.session.add(userrole)
# Authorization
auth = AccAuthorization.query.filter_by(role=role,
action=action,
argument=arg).first()
if not auth:
auth = AccAuthorization(role=role,
action=action,
argument=arg,
argumentlistid=1)
def save_acl(self, c):
# Role - use Community id, because role name is limited to 32 chars.
role_name = 'instrument_role_%s' % self.id
role = AccROLE.query.filter_by(name=role_name).first()
if not role:
rule = 'allow group "%s"\ndeny any' % self.get_group_name()
role = AccROLE(
name=role_name,
description='Owner of instruments %s' % self.name,
firerole_def_ser=serialize(compile_role_definition(rule)),
firerole_def_src=rule)
db.session.add(role)
# Argument
fields = dict(keyword='collection', value=c.name)
arg = AccARGUMENT.query.filter_by(**fields).first()
if not arg:
arg = AccARGUMENT(**fields)
db.session.add(arg)
# Action
action = AccACTION.query.filter_by(name='viewrestrcoll').first()
# User role
alluserroles = UserAccROLE.query.filter_by(role=role).all()
userrole = None
if alluserroles:
# Remove any user which is not the owner
for ur in alluserroles:
if ur.id_user == self.user_id:
db.session.delete(ur)
else:
userrole = ur
if not userrole:
userrole = UserAccROLE(id_user=self.user_id, role=role)
db.session.add(userrole)
# Authorization
auth = AccAuthorization.query.filter_by(role=role, action=action,
argument=arg).first()
if not auth:
auth = AccAuthorization(role=role, action=action, argument=arg,
argumentlistid=1)
