def test_request_is_admin_and_request_has_role(self):
mock_request_admin_user = mock.Mock()
mock_request_regular_user = mock.Mock()
mock_request_admin_user.context = {'auth': {'user': self.admin_user}}
mock_request_regular_user.context = {'auth': {'user': self.regular_user}}
# Auth disabled, should always return true
cfg.CONF.set_override(name='enable', override=False, group='auth')
# Regular user
self.assertTrue(request_user_is_admin(request=mock_request_regular_user))
self.assertTrue(request_user_has_role(request=mock_request_regular_user,
role=SystemRole.ADMIN))
# Admin user
self.assertTrue(request_user_is_admin(request=mock_request_admin_user))
self.assertTrue(request_user_has_role(request=mock_request_admin_user,
role=SystemRole.ADMIN))
# Auth enabled
cfg.CONF.set_override(name='enable', override=True, group='auth')
# Admin user
self.assertTrue(request_user_is_admin(request=mock_request_admin_user))
self.assertTrue(request_user_has_role(request=mock_request_admin_user,
role=SystemRole.ADMIN))
# Regular user
self.assertFalse(request_user_is_admin(request=mock_request_regular_user))
self.assertFalse(request_user_has_role(request=mock_request_regular_user,
role=SystemRole.ADMIN))
def get_one(self, name, scope=SYSTEM_SCOPE, user=None, decrypt=False):
"""
List key by name.
Handle:
GET /keys/key1
"""
self._validate_scope(scope=scope)
if user:
# Providing a user implies a user scope
scope = USER_SCOPE
requester_user = get_requester()
user = user or requester_user
is_admin = request_user_is_admin(request=pecan.request)
# User needs to be either admin or requesting item for itself
self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin)
# Validate that the authenticated user is admin if user query param is provided
assert_request_user_is_admin_if_user_query_param_is_provider(request=pecan.request,
user=user)
key_ref = get_key_reference(scope=scope, name=name, user=user)
from_model_kwargs = {'mask_secrets': not decrypt}
kvp_api = self._get_one_by_scope_and_name(
name=key_ref,
scope=scope,
from_model_kwargs=from_model_kwargs
)
return kvp_api
def get_all(self,
prefix=None,
scope=FULL_SYSTEM_SCOPE,
user=None,
decrypt=False,
**kwargs):
"""
List all keys.
Handles requests:
GET /keys/
"""
if not scope:
scope = FULL_SYSTEM_SCOPE
if user:
# Providing a user implies a user scope
scope = FULL_USER_SCOPE
scope = get_datastore_full_scope(scope)
requester_user = get_requester()
user = user or requester_user
is_all_scope = (scope == ALL_SCOPE)
is_admin = request_user_is_admin(request=pecan.request)
if is_all_scope and not is_admin:
msg = '"all" scope requires administrator access'
raise AccessDeniedError(message=msg, user_db=requester_user)
# User needs to be either admin or requesting items for themselves
self._validate_decrypt_query_parameter(decrypt=decrypt,
scope=scope,
is_admin=is_admin)
# Validate that the authenticated user is admin if user query param is provided
assert_request_user_is_admin_if_user_query_param_is_provided(
request=pecan.request, user=user)
from_model_kwargs = {'mask_secrets': not decrypt}
kwargs['prefix'] = prefix
if scope and scope not in ALL_SCOPE:
self._validate_scope(scope=scope)
kwargs['scope'] = scope
if scope == USER_SCOPE or scope == FULL_USER_SCOPE:
# Make sure we only returned values scoped to current user
if kwargs['prefix']:
kwargs['prefix'] = get_key_reference(name=kwargs['prefix'],
scope=scope,
user=requester_user)
else:
kwargs['prefix'] = get_key_reference(name='',
scope=scope,
user=user)
kvp_apis = super(KeyValuePairController,
self)._get_all(from_model_kwargs=from_model_kwargs,
**kwargs)
return kvp_apis
def get_one(self, name, scope=FULL_SYSTEM_SCOPE, user=None, decrypt=False):
"""
List key by name.
Handle:
GET /keys/key1
"""
if not scope:
scope = FULL_SYSTEM_SCOPE
if user:
# Providing a user implies a user scope
scope = FULL_USER_SCOPE
scope = get_datastore_full_scope(scope)
self._validate_scope(scope=scope)
requester_user = get_requester()
user = user or requester_user
is_admin = request_user_is_admin(request=pecan.request)
# User needs to be either admin or requesting item for itself
self._validate_decrypt_query_parameter(decrypt=decrypt,
scope=scope,
is_admin=is_admin)
# Validate that the authenticated user is admin if user query param is provided
assert_request_user_is_admin_if_user_query_param_is_provided(
request=pecan.request, user=user)
key_ref = get_key_reference(scope=scope, name=name, user=user)
from_model_kwargs = {'mask_secrets': not decrypt}
kvp_api = self._get_one_by_scope_and_name(
name=key_ref, scope=scope, from_model_kwargs=from_model_kwargs)
return kvp_api
def get_all(self, prefix=None, scope=FULL_SYSTEM_SCOPE, user=None, decrypt=False, **kwargs):
"""
List all keys.
Handles requests:
GET /keys/
"""
if not scope:
scope = FULL_SYSTEM_SCOPE
if user:
# Providing a user implies a user scope
scope = FULL_USER_SCOPE
scope = get_datastore_full_scope(scope)
requester_user = get_requester()
user = user or requester_user
is_all_scope = (scope == ALL_SCOPE)
is_admin = request_user_is_admin(request=pecan.request)
if is_all_scope and not is_admin:
msg = '"all" scope requires administrator access'
raise AccessDeniedError(message=msg, user_db=requester_user)
# User needs to be either admin or requesting items for themselves
self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin)
# Validate that the authenticated user is admin if user query param is provided
assert_request_user_is_admin_if_user_query_param_is_provider(request=pecan.request,
user=user)
from_model_kwargs = {'mask_secrets': not decrypt}
kwargs['prefix'] = prefix
if scope and scope not in ALL_SCOPE:
self._validate_scope(scope=scope)
kwargs['scope'] = scope
if scope == USER_SCOPE or scope == FULL_USER_SCOPE:
# Make sure we only returned values scoped to current user
if kwargs['prefix']:
kwargs['prefix'] = get_key_reference(name=kwargs['prefix'], scope=scope,
user=requester_user)
else:
kwargs['prefix'] = get_key_reference(name='', scope=scope,
user=user)
kvp_apis = super(KeyValuePairController, self)._get_all(from_model_kwargs=from_model_kwargs,
**kwargs)
return kvp_apis
def _get_from_model_kwargs_for_request(self, request):
"""
Set mask_secrets=False if the user is an admin and provided ?show_secrets=True query param.
"""
from_model_kwargs = {"mask_secrets": cfg.CONF.api.mask_secrets}
show_secrets = self._get_query_param_value(
request=request, param_name=SHOW_SECRETS_QUERY_PARAM, param_type="bool", default_value=False
)
if show_secrets and request_user_is_admin(request=request):
from_model_kwargs["mask_secrets"] = False
return from_model_kwargs
def _get_from_model_kwargs_for_request(self, request):
"""
Set mask_secrets=False if the user is an admin and provided ?show_secrets=True query param.
"""
from_model_kwargs = {'mask_secrets': cfg.CONF.api.mask_secrets}
show_secrets = self._get_query_param_value(request=request,
param_name=SHOW_SECRETS_QUERY_PARAM,
param_type='bool',
default_value=False)
if show_secrets and request_user_is_admin(request=request):
from_model_kwargs['mask_secrets'] = False
return from_model_kwargs
def _get_mask_secrets(self, request):
"""
Return a value for mask_secrets which can be used in masking secret properties
to be retruned by any API. The default value is as per the config however admin
users have the ability to override by passing in a special query parameter
?show_secrets=True.
:param request: Request object.
:rtype: ``bool``
"""
mask_secrets = cfg.CONF.api.mask_secrets
show_secrets = self._get_query_param_value(request=request,
param_name=SHOW_SECRETS_QUERY_PARAM,
param_type='bool',
default_value=False)
if show_secrets and request_user_is_admin(request=request):
mask_secrets = False
return mask_secrets
