def test_adapt(self):
auth = getUtility(IAuthentication, context=None)
auth.registerPrincipal(User('user1'))
interaction = self._get_interaction('user1')
# get the object being secured
compute = self.make_compute()
compute_proxy = proxy_factory(compute, interaction)
eq_(IContainer(compute), IContainer(compute_proxy))
def _do_traverse(self, path):
objs, unresolved_path = self.traverse_full(path)
if not objs or unresolved_path:
self.write('No such object: %s\n' % path)
return
if not IContainer.providedBy(objs[-1]):
self.write('Cannot cd to a non-container\n')
return
# Fixes #41.
if os.path.isabs(path):
objs.insert(0, db.deref(self.obj_path[0]))
# Handle '//foo/bar//fee'
path_components = path.split('/')
path_components[1:] = [
comp for comp in path_components[1:] if comp != ''
]
oms_root = self.obj_path[0]
if path_components[0] == '':
del self.obj_path[:]
del self.path[:]
for obj, name in zip(objs, path_components):
ref = db.ref(obj)
if name == '.' or (ref == oms_root and oms_root in self.obj_path):
continue
self.obj_path.append(ref)
self.path.append(name)
def _do_traverse(self, path):
objs, unresolved_path = self.traverse_full(path)
if not objs or unresolved_path:
self.write('No such object: %s\n' % path)
return
if not IContainer.providedBy(objs[-1]):
self.write('Cannot cd to a non-container\n')
return
# Fixes #41.
if os.path.isabs(path):
objs.insert(0, db.deref(self.obj_path[0]))
# Handle '//foo/bar//fee'
path_components = path.split('/')
path_components[1:] = [comp for comp in path_components[1:] if comp != '']
oms_root = self.obj_path[0]
if path_components[0] == '':
del self.obj_path[:]
del self.path[:]
for obj, name in zip(objs, path_components):
ref = db.ref(obj)
if name == '.' or (ref == oms_root and oms_root in self.obj_path):
continue
self.obj_path.append(ref)
self.path.append(name)
def traverse_level_get(self,
container,
attrs,
recursive=False,
maxlevel=5,
level=0,
add_full_paths=False):
container_data = {}
for element in container.listcontent():
data = self._do_cat(element, attrs=attrs)
if IContainer.providedBy(element):
if recursive and level < maxlevel:
children = self.traverse_level_get(
element,
attrs,
recursive=recursive,
maxlevel=maxlevel,
level=level + 1,
add_full_paths=add_full_paths)
if children:
data.update({'children': children})
if not data:
continue
container_data[data['__name__']] = data
return container_data
def traverse_level_set(self, data, container, attrs, recursive=False, maxlevel=5, level=0):
def import_cls(module, name):
mod = __import__(module)
for comp in module.split('.')[1:]:
mod = getattr(mod, comp)
return getattr(mod, name)
for name, di in data.iteritems():
self.write('%s%s\n' % (' ' * level, name))
element = container[name]
if di['__classname__'] in self.type_blacklist:
continue
obj = import_cls(di['__module__'], di['__classname__']) if not element else element
if obj.__transient__:
continue
cobj = self._do_create_or_set(di, obj, attrs=attrs,
marker=getattr(container, '__contains__', None))
if cobj is None:
continue
if not element:
container.add(cobj)
if IContainer.providedBy(cobj) and recursive and level < maxlevel:
chdata = di.get('children')
if chdata is not None:
self.traverse_level_set(chdata, cobj, attrs,
recursive=recursive,
maxlevel=maxlevel,
level=level + 1)
def suffix(obj):
if IContainer.providedBy(follow_symlinks(obj)):
return '/'
elif ICommand.providedBy(follow_symlinks(obj)):
return '*'
elif isinstance(obj, Symlink):
return '@'
else:
return ''
def pretty_name(item):
if IContainer.providedBy(item):
return self.protocol.colorize(BLUE, '%s/' % (item.__name__,))
elif ICommand.providedBy(item):
return self.protocol.colorize(GREEN, '%s*' % (item.__name__,))
elif isinstance(item, Symlink):
return self.protocol.colorize(CYAN, '%s@' % (item.__name__,))
else:
return item.__name__
def pretty_name(item):
if IContainer.providedBy(item):
return self.protocol.colorize(BLUE, '%s/' % (item.__name__, ))
elif ICommand.providedBy(item):
return self.protocol.colorize(GREEN, '%s*' % (item.__name__, ))
elif isinstance(item, Symlink):
return self.protocol.colorize(CYAN, '%s@' % (item.__name__, ))
else:
return item.__name__
def set_acl(self,
obj,
inherit,
allow_perms,
deny_perms,
del_perms,
recursive=False):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
obj.inherit_permissions = inherit
def mod_perm(what, setter, p):
kind, principal, perms = p.split(':')
if not perms:
return
prin = auth.getPrincipal(principal)
if isinstance(prin, Group) and kind == 'u':
self.write(
"No such user '%s', it's a group, perhaps you mean 'g:%s:%s'\n"
% (principal, principal, perms))
return
elif type(prin) is User and kind == 'g':
self.write(
"No such group '%s', it's a user (%s), perhaps you mean 'u:%s:%s'\n"
% (principal, prin, principal, perms))
return
for perm in perms.strip():
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
self.write("%s permission '%s', principal '%s'\n" %
(what, role, principal))
setter(role, principal)
def apply_perms(prinrole):
for p in allow_perms or []:
mod_perm("Allowing", prinrole.assignRoleToPrincipal, p)
for p in deny_perms or []:
mod_perm("Denying", prinrole.removeRoleFromPrincipal, p)
for p in del_perms or []:
mod_perm("Unsetting", prinrole.unsetRoleForPrincipal, p)
apply_perms(prinrole)
seen = [obj]
if recursive and IContainer.providedBy(obj):
for sobj in obj.listcontent():
if follow_symlinks(sobj) not in seen:
prinrole = IPrincipalRoleManager(sobj)
sobj.inherit_permissions = inherit
seen.append(follow_symlinks(sobj))
apply_perms(prinrole)
def _do_print_acl(self, obj, verbose, recursive, seen):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
user_allow = collections.defaultdict(list)
user_deny = collections.defaultdict(list)
users = set()
for role, principal, setting in prinrole.getPrincipalsAndRoles():
users.add(principal)
if setting.getName() == 'Allow':
user_allow[principal].append(role)
else:
user_deny[principal].append(role)
for principal in users:
def formatted_perms(perms):
prin = auth.getPrincipal(principal)
typ = 'group' if isinstance(prin, Group) else 'user'
if verbose:
def grants(i):
return ','.join(
'@%s' % i[0] for i in
rolePermissionManager.getPermissionsForRole(i)
if i[0] != 'oms.nothing')
return (typ, principal, ''.join(
'%s{%s}' %
(Role.role_to_nick.get(i, '(%s)' % i), grants(i))
for i in sorted(perms)))
else:
return (typ, principal, ''.join(
Role.role_to_nick.get(i, '(%s)' % i)
for i in sorted(perms)))
if principal in user_allow:
self.write("%s:%s:+%s\n" %
formatted_perms(user_allow[principal]))
if principal in user_deny:
self.write("%s:%s:-%s\n" %
formatted_perms(user_deny[principal]))
if recursive and IContainer.providedBy(follow_symlinks(obj)):
for sobj in follow_symlinks(obj).listcontent():
if follow_symlinks(sobj) not in seen:
seen.append(sobj)
self.write('%s:\n' % canonical_path(sobj))
self._do_print_acl(sobj, verbose, recursive, seen)
def set_owner(path):
target = self.traverse(path)
if not target:
self.write('Not found: %s\n' % path)
return
if target.__transient__:
self.write("Transient object %s cannot have its owner changed\n" % path)
return
target.__owner__ = principal
if IContainer.providedBy(target) and args.recursive:
for item in target.listcontent():
set_owner(os.path.join(path, item.__name__))
def set_acl(self, obj, inherit, allow_perms, deny_perms, del_perms, recursive=False):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
obj.inherit_permissions = inherit
def mod_perm(what, setter, p):
kind, principal, perms = p.split(':')
if not perms:
return
prin = auth.getPrincipal(principal)
if isinstance(prin, Group) and kind == 'u':
self.write("No such user '%s', it's a group, perhaps you mean 'g:%s:%s'\n" %
(principal, principal, perms))
return
elif type(prin) is User and kind == 'g':
self.write("No such group '%s', it's a user (%s), perhaps you mean 'u:%s:%s'\n" %
(principal, prin, principal, perms))
return
for perm in perms.strip():
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
self.write("%s permission '%s', principal '%s'\n" % (what, role, principal))
setter(role, principal)
def apply_perms(prinrole):
for p in allow_perms or []:
mod_perm("Allowing", prinrole.assignRoleToPrincipal, p)
for p in deny_perms or []:
mod_perm("Denying", prinrole.removeRoleFromPrincipal, p)
for p in del_perms or []:
mod_perm("Unsetting", prinrole.unsetRoleForPrincipal, p)
apply_perms(prinrole)
seen = [obj]
if recursive and IContainer.providedBy(obj):
for sobj in obj.listcontent():
if follow_symlinks(sobj) not in seen:
prinrole = IPrincipalRoleManager(sobj)
sobj.inherit_permissions = inherit
seen.append(follow_symlinks(sobj))
apply_perms(prinrole)
def traverse_level_set(self,
data,
container,
attrs,
recursive=False,
maxlevel=5,
level=0):
def import_cls(module, name):
mod = __import__(module)
for comp in module.split('.')[1:]:
mod = getattr(mod, comp)
return getattr(mod, name)
for name, di in data.iteritems():
self.write('%s%s\n' % (' ' * level, name))
element = container[name]
if di['__classname__'] in self.type_blacklist:
continue
obj = import_cls(di['__module__'],
di['__classname__']) if not element else element
if obj.__transient__:
continue
cobj = self._do_create_or_set(di,
obj,
attrs=attrs,
marker=getattr(
container, '__contains__', None))
if cobj is None:
continue
if not element:
container.add(cobj)
if IContainer.providedBy(cobj) and recursive and level < maxlevel:
chdata = di.get('children')
if chdata is not None:
self.traverse_level_set(chdata,
cobj,
attrs,
recursive=recursive,
maxlevel=maxlevel,
level=level + 1)
def set_owner(path, level):
target = self.traverse(path)
if not target:
self.write('Not found: %s\n' % path)
return
if target.__transient__:
if args.verbose:
self.write(
"Transient object %s cannot have its owner changed\n" %
path)
return
target.__owner__ = principal
if IContainer.providedBy(
target) and args.recursive and level < args.limit:
for item in target.listcontent():
set_owner(os.path.join(path, item.__name__), level + 1)
def traverse_level_get(self, container, attrs, recursive=False, maxlevel=5, level=0,
add_full_paths=False):
container_data = {}
for element in container.listcontent():
data = self._do_cat(element, attrs=attrs)
if IContainer.providedBy(element):
if recursive and level < maxlevel:
children = self.traverse_level_get(element, attrs,
recursive=recursive,
maxlevel=maxlevel,
level=level + 1,
add_full_paths=add_full_paths)
if children:
data.update({'children': children})
if not data:
continue
container_data[data['__name__']] = data
return container_data
def _do_print_acl(self, obj, verbose, recursive, seen):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
user_allow = collections.defaultdict(list)
user_deny = collections.defaultdict(list)
users = set()
for role, principal, setting in prinrole.getPrincipalsAndRoles():
users.add(principal)
if setting.getName() == 'Allow':
user_allow[principal].append(role)
else:
user_deny[principal].append(role)
for principal in users:
def formatted_perms(perms):
prin = auth.getPrincipal(principal)
typ = 'group' if isinstance(prin, Group) else 'user'
if verbose:
def grants(i):
return ','.join('@%s' % i[0] for i in rolePermissionManager.getPermissionsForRole(i)
if i[0] != 'oms.nothing')
return (typ, principal, ''.join('%s{%s}' %
(Role.role_to_nick.get(i, '(%s)' % i), grants(i))
for i in sorted(perms)))
else:
return (typ, principal, ''.join(Role.role_to_nick.get(i, '(%s)' % i)
for i in sorted(perms)))
if principal in user_allow:
self.write("%s:%s:+%s\n" % formatted_perms(user_allow[principal]))
if principal in user_deny:
self.write("%s:%s:-%s\n" % formatted_perms(user_deny[principal]))
if recursive and IContainer.providedBy(follow_symlinks(obj)):
for sobj in follow_symlinks(obj).listcontent():
if follow_symlinks(sobj) not in seen:
seen.append(sobj)
self.write('%s:\n' % canonical_path(sobj))
self._do_print_acl(sobj, verbose, recursive, seen)
def execute(self, args):
src_path, dest_path = args.paths
src = self.traverse(src_path)
dest = self.traverse(dest_path)
rename = None
# move and rename
if not dest:
dest = self.traverse(os.path.dirname(dest_path))
rename = os.path.basename(dest_path)
if not IContainer.providedBy(dest):
self.write("Destination %s has to be a container.\n" % dest)
return
# `add` will take care of removing the old parent.
dest.add(src)
if rename:
dest.rename(src.__name__, rename)
def execute(self, args):
src_path, dest_path = args.paths
src = self.traverse(src_path)
dest = self.traverse(dest_path)
rename = None
# move and rename
if not dest:
dest = self.traverse(os.path.dirname(dest_path))
rename = os.path.basename(dest_path)
if not IContainer.providedBy(dest):
self.write("Destination %s has to be a container.\n" % dest)
return
# `add` will take care of removing the old parent.
dest.add(src)
if rename:
dest.rename(src.__name__, rename)
def complete(self, token, parsed, parser, **kwargs):
# If there is still any positional option to complete:
if self.expected_action(parsed, parser):
base_path = os.path.dirname(token)
container = self.context.traverse(base_path)
if IContainer.providedBy(container):
def suffix(obj):
if IContainer.providedBy(follow_symlinks(obj)):
return '/'
elif ICommand.providedBy(follow_symlinks(obj)):
return '*'
elif isinstance(obj, Symlink):
return '@'
else:
return ''
def name(obj):
return os.path.join(base_path, obj.__name__)
return [name(obj) + suffix(obj) for obj in container.listcontent()
if name(obj).startswith(token)]
def _do_ls(self, obj, path='.', recursive=False):
assert obj not in self.visited
self.visited.append(obj)
def pretty_name(item):
if IContainer.providedBy(item):
return self.protocol.colorize(BLUE, '%s/' % (item.__name__,))
elif ICommand.providedBy(item):
return self.protocol.colorize(GREEN, '%s*' % (item.__name__,))
elif isinstance(item, Symlink):
return self.protocol.colorize(CYAN, '%s@' % (item.__name__,))
else:
return item.__name__
def make_long_lines(container):
def get_symlink_nicknames(item):
for method in (lambda item: [canonical_path(item)],
lambda item: getattr(follow_symlinks(item), 'nicknames', [])):
try:
for n in method(item):
yield n
except Unauthorized:
log.err(system='security')
def nick(item):
return (get_symlink_nicknames(item) if isinstance(item, Symlink)
else getattr(item, 'nicknames', []))
def owner(item):
return item.__owner__ or 'root'
return [(('%s %s %s\t%s\t%s\n' % (pretty_effective_perms(self.protocol.interaction,
follow_symlinks(subobj)),
owner(subobj),
datetime.datetime.fromtimestamp(subobj.mtime).isoformat()
if not subobj.__transient__
else ' <transient> ',
pretty_name(subobj),
' : '.join(nick(subobj)))).encode('utf-8'))
for subobj in container]
def make_short_lines(container):
return columnize([pretty_name(subobj) for subobj in container], displaywidth=self.protocol.width)
def filter_by_permission(i):
try:
return self.protocol.interaction.checkPermission('view', i)
except Exception as e:
log.msg('Error accessing %s' % i, system='ls')
log.err(e)
container = (sorted(filter(filter_by_permission, obj.listcontent()), key=lambda o: o.__name__)
if IContainer.providedBy(obj) and not self.opts_dir
else [obj])
for line in (make_long_lines(container) if self.opts_long else make_short_lines(container)):
self.write(line)
if recursive and IContainer.providedBy(obj) and not self.opts_dir:
for ch in container:
child_obj = obj[ch.__name__]
if (IContainer.providedBy(child_obj)
and not isinstance(child_obj, Symlink)
and child_obj not in self.visited):
self.write("\n%s:\n" % os.path.join(path, ch.__name__.encode('utf8')))
self._do_ls(child_obj, os.path.join(path, ch.__name__), recursive=True)
def _do_ls(self, obj, path='.', recursive=False):
assert obj not in self.visited
self.visited.append(obj)
def pretty_name(item):
if IContainer.providedBy(item):
return self.protocol.colorize(BLUE, '%s/' % (item.__name__, ))
elif ICommand.providedBy(item):
return self.protocol.colorize(GREEN, '%s*' % (item.__name__, ))
elif isinstance(item, Symlink):
return self.protocol.colorize(CYAN, '%s@' % (item.__name__, ))
else:
return item.__name__
def make_long_lines(container):
def get_symlink_nicknames(item):
for method in (lambda item: [canonical_path(item)],
lambda item: getattr(follow_symlinks(item),
'nicknames', [])):
try:
for n in method(item):
yield n
except Unauthorized:
log.err(system='security')
def nick(item):
return (get_symlink_nicknames(item) if isinstance(
item, Symlink) else getattr(item, 'nicknames', []))
def owner(item):
return item.__owner__ or 'root'
return [
(('%s %s %s\t%s\t%s\n' %
(pretty_effective_perms(self.protocol.interaction,
follow_symlinks(subobj)),
owner(subobj), datetime.datetime.fromtimestamp(
subobj.mtime).isoformat() if not subobj.__transient__
else ' <transient> ', pretty_name(subobj),
' : '.join(nick(subobj)))).encode('utf-8'))
for subobj in container
]
def make_short_lines(container):
return columnize([pretty_name(subobj) for subobj in container],
displaywidth=self.protocol.width)
def filter_by_permission(i):
try:
return self.protocol.interaction.checkPermission('view', i)
except Exception as e:
log.msg('Error accessing %s' % i, system='ls')
log.err(e)
container = (sorted(filter(filter_by_permission, obj.listcontent()),
key=lambda o: o.__name__)
if IContainer.providedBy(obj) and not self.opts_dir else
[obj])
for line in (make_long_lines(container)
if self.opts_long else make_short_lines(container)):
self.write(line)
if recursive and IContainer.providedBy(obj) and not self.opts_dir:
for ch in container:
child_obj = obj[ch.__name__]
if (IContainer.providedBy(child_obj)
and not isinstance(child_obj, Symlink)
and child_obj not in self.visited):
self.write("\n%s:\n" %
os.path.join(path, ch.__name__.encode('utf8')))
self._do_ls(child_obj,
os.path.join(path, ch.__name__),
recursive=True)
def collect(container):
for item in container.listcontent():
if ICompute.providedBy(item):
computes[item.__name__] = Symlink(item.__name__, item)
if IContainer.providedBy(item):
collect(item)
def collect(container):
for item in container.listcontent():
if ICompute.providedBy(item):
computes[item.__name__] = Symlink(item.__name__, item)
if IContainer.providedBy(item):
collect(item)
