コード例 #1
0
ファイル: Validation.py プロジェクト: amaltaro/WMCore
def validate_request_create_args(request_args, config, reqmgr_db_service, *args, **kwargs):
    """
    *arg and **kwargs are only for the interface
    validate post request
    1. read data from body
    2. validate using spec validation
    3. convert data from body to arguments (spec instance, argument with default setting)
    TODO: raise right kind of error with clear message
    """
    if request_args["RequestType"] == "Resubmission":
        # do not set default values for Resubmission since it will be inherited from parent
        # both create & assign args are accepted for Resubmission creation
        workload, request_args = validate_resubmission_create_args(request_args, config, reqmgr_db_service)
    else:
        initialize_request_args(request_args, config)
        # check the permission for creating the request
        permission = getWritePermission(request_args)
        authz_match(permission['role'], permission['group'])

        # load the correct class in order to validate the arguments
        specClass = loadSpecClassByType(request_args["RequestType"])
        # set default values for the request_args
        setArgumentsWithDefault(request_args, specClass.getWorkloadCreateArgs())
        spec = specClass()
        workload = spec.factoryWorkloadConstruction(request_args["RequestName"],
                                                    request_args)

    return workload, request_args
コード例 #2
0
ファイル: DataSites.py プロジェクト: amaltaro/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT', 'POST'):
      validate_strlist('site_name', param, safe, RX_SITE)
      validate_strlist('tier', param, safe, RX_TIER)
      validate_ustrlist('country', param, safe, RX_COUNTRY)
      validate_strlist('usage', param, safe, RX_USAGE)
      validate_strlist('url', param, safe, RX_URL)
      validate_strlist('logo_url', param, safe, RX_URL)
      validate_strlist('devel_release', param, safe, RX_YES_NO)
      validate_strlist('manual_install', param, safe, RX_YES_NO)
      validate_lengths(safe, 'site_name', 'tier', 'country', 'usage',
                       'url', 'logo_url', 'devel_release', 'manual_install')
      if method == 'PUT':
        validate_strlist('executive', param, safe, RX_USER)
        validate_lengths(safe, 'executive')

    elif method == 'DELETE':
      validate_strlist('site_name', param, safe, RX_SITE)

    # Delay POST authz until we have database connection for name remapping.
    if method in ('PUT'):
      authz_match(role=["Global Admin", "Operator"], group=["global","SiteDB"])
    elif method in ('DELETE'):
      authz_match(role=["Global Admin"], group=["global"])
コード例 #3
0
ファイル: Validation.py プロジェクト: huohuo21/WMCore
def validate_request_create_args(request_args, config, *args, **kwargs):
    """
    *arg and **kwargs are only for the interface
    validate post request
    1. read data from body
    2. validate using spec validation
    3. convert data from body to arguments (spec instance, argument with default setting) 
    TODO: rasie right kind of error with clear message 
    """
    
    initialize_request_args(request_args, config)
    #check the permission for creating the request
    permission = getWritePermission(request_args)
    authz_match(permission['role'], permission['group'])
    
    # set default values for teh request_args
    specClass = loadSpecClassByType(request_args["RequestType"])
    setArgumentsWithDefault(request_args, specClass.getWorkloadArguments())
    
    # get the spec type and validate arguments
    spec = loadSpecByType(request_args["RequestType"])
    if request_args["RequestType"] == "Resubmission":
        request_args["OriginalRequestCouchURL"] = '%s/%s' % (config.couch_host, 
                                                             config.couch_reqmgr_db)
    workload = spec.factoryWorkloadConstruction(request_args["RequestName"], 
                                                request_args)
    return workload, request_args
コード例 #4
0
ファイル: DataPeople.py プロジェクト: lat/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT', 'POST'):
      validate_strlist('username',  param, safe, RX_USER)
      validate_strlist('email',     param, safe, RX_EMAIL)
      validate_ustrlist('forename',  param, safe, RX_NAME)
      validate_ustrlist('surname',   param, safe, RX_NAME)
      validate_ustrlist('dn',        param, safe, RX_DN)
      validate_strlist('phone1',    param, safe, RX_PHONE)
      validate_strlist('phone2',    param, safe, RX_PHONE)
      validate_strlist('im_handle', param, safe, RX_IM)
      validate_lengths(safe, 'username', 'email', 'forename', 'surname',
                       'dn', 'phone1', 'phone2', 'im_handle')

      mydn = cherrypy.request.user['dn']
      me = cherrypy.request.user['login']
      for user, dn in zip(safe.kwargs['username'], safe.kwargs['dn']):
        (method == 'POST' and user == me and dn == mydn) or \
          authz_match(role=["Global Admin"], group=["global"])

    elif method == 'DELETE':
      validate_strlist('username',  param, safe, RX_USER)
      authz_match(role=["Global Admin"], group=["global"])
コード例 #5
0
ファイル: DataProcessing.py プロジェクト: dmwm/sitedb
 def validate(self, apiobj, method, api, param, safe):
   """Validate request input data."""
   if method in ('PUT', 'DELETE'):
     validate_strlist('phedex_name', param, safe, RX_NAME)
     validate_strlist('psn_name', param, safe, RX_NAME)
     validate_lengths(safe, 'phedex_name', 'psn_name')
     authz_match(role=["Global Admin", "Operator"], group=["global","SiteDB"])
コード例 #6
0
ファイル: Validation.py プロジェクト: amaltaro/WMCore
def validate_clone_create_args(request_args, config, reqmgr_db_service, *args, **kwargs):
    """
    Handle clone workflows through the clone API, by loading the spec arguments
    definition (and chain definition, if needed) and inheriting all arguments defined
    in the spec.
    *arg and **kwargs are only for the interface
    """
    response = reqmgr_db_service.getRequestByNames(request_args.pop("OriginalRequestName"))
    originalArgs = response.values()[0]

    chainArgs = None
    specClass = loadSpecClassByType(originalArgs["RequestType"])
    if originalArgs["RequestType"] == 'Resubmission':
        # cloning an ACDC, nothing that we can validate
        # simply copy the whole original dictionary over and accept all args
        createArgs = originalArgs
    else:
        # load arguments definition from the proper/original spec factory
        createArgs = specClass.getWorkloadCreateArgs()
        if originalArgs["RequestType"] in ('StepChain', 'TaskChain'):
            chainArgs = specClass.getChainCreateArgs()

    cloned_args = initialize_clone(request_args, originalArgs, createArgs, chainArgs)
    initialize_request_args(cloned_args, config)

    permission = getWritePermission(cloned_args)
    authz_match(permission['role'], permission['group'])

    spec = specClass()
    workload = spec.factoryWorkloadConstruction(cloned_args["RequestName"], cloned_args)

    return workload, cloned_args
コード例 #7
0
ファイル: DataGroups.py プロジェクト: nikmagini/sitedb
    def validate(self, apiobj, method, api, param, safe):
        """Validate request input data."""
        if method in ("GET", "HEAD"):
            validate_rx("match", param, safe, optional=True)

        elif method in ("PUT", "DELETE"):
            validate_strlist("name", param, safe, RX_LABEL)
            authz_match(role="Global Admin", group="global")
コード例 #8
0
ファイル: DataRoles.py プロジェクト: lat/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT', 'DELETE'):
      validate_strlist('title', param, safe, RX_LABEL)
      authz_match(role=["Global Admin"], group=["global"])
コード例 #9
0
ファイル: DataSchema.py プロジェクト: ticoann/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method == 'POST':
      validate_str('action', param, safe, re.compile(r"^(archive|restore)$"))
    elif method == 'DELETE':
      validate_str('action', param, safe, re.compile(r"^(all|archive|current)$"))

    authz_match(role=["Global Admin"], group=["global"])
コード例 #10
0
ファイル: Validation.py プロジェクト: huohuo21/WMCore
def validate_request_update_args(request_args, config, reqmgr_db_service, param):
    """
    param and safe structure is RESTArgs structure: named tuple
    RESTArgs(args=[], kwargs={})
    
    validate post/put request
    1. read data from body
    2. validate the permission (authentication)
    3. validate state transition (against previous state from couchdb)
    2. validate using workload validation
    3. convert data from body to arguments (spec instance, argument with default setting)
    
    TODO: rasie right kind of error with clear message 
    """
    # this needs to be deleted for validation
    request_name = request_args.pop("RequestName")
    couchurl =  '%s/%s' % (config.couch_host, config.couch_reqmgr_db)
    workload = WMWorkloadHelper()
    workload.loadSpecFromCouch(couchurl, request_name)
    
    # first validate the permission by status and request type.
    # if the status is not set only ReqMgr Admin can change the values
    # TODO for each step, assigned, approved, announce find out what other values
    # can be set
    request_args["RequestType"] = workload.requestType()
    permission = getWritePermission(request_args)
    authz_match(permission['role'], permission['group'])
    del request_args["RequestType"]

    #validate the status
    if "RequestStatus" in request_args:
        validate_state_transition(reqmgr_db_service, request_name, request_args["RequestStatus"])
        # delete request_args since it is not part of spec argument and validation
        args_without_status = {}
        args_without_status.update(request_args)
        del args_without_status["RequestStatus"]
    else:
        args_without_status = request_args

    if len(args_without_status) == 1:
        if 'RequestPriority' in args_without_status:
            args_without_status['RequestPriority'] = int(args_without_status['RequestPriority'])
            if (lambda x: (x >= 0 and x < 1e6))(args_without_status['RequestPriority']) is False:
                raise InvalidSpecParameterValue("RequestPriority must be an integer between 0 and 1e6")
            return workload, args_without_status
        elif 'cascade' in args_without_status:
            # status was already validated
            return workload, request_args
    elif len(args_without_status) > 0 and not workqueue_stat_validation(args_without_status):
        # validate the arguments against the spec argumentSpecdefinition
        #TODO: currently only assigned status allows any update other then Status update
        workload.validateArgumentForAssignment(args_without_status)

    # to update request_args with type conversion
    request_args.update(args_without_status)
    return workload, request_args
コード例 #11
0
ファイル: DataESPCredit.py プロジェクト: amaltaro/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT'):
      validate_strlist('site', param, safe, RX_LABEL)
      validate_reallist('value', param, safe, minval = 0.)
      validate_strlist('year', param, safe, RX_YEARS)
      authz_match(role=["Global Admin"], group=["global"])
コード例 #12
0
ファイル: DataSites.py プロジェクト: amaltaro/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""

    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT', 'DELETE'):
      validate_strlist('type', param, safe, RX_NAME_TYPE)
      validate_strlist('site_name', param, safe, RX_SITE)
      validate_strlist('alias', param, safe, RX_NAME)
      validate_lengths(safe, 'type', 'site_name', 'alias')
      authz_match(role=["Global Admin", "Operator"], group=["global","SiteDB"])
コード例 #13
0
ファイル: DataTiers.py プロジェクト: amaltaro/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method == 'PUT':
      validate_numlist('position', param, safe, bare = True)
      validate_strlist('name', param, safe, RX_TIER)
      validate_lengths(safe, 'position', 'name')
      authz_match(role=["Global Admin"], group=["global"])

    elif method == 'DELETE':
      validate_numlist('position', param, safe, bare = True)
      authz_match(role=["Global Admin"], group=["global"])
コード例 #14
0
ファイル: DataAccounts.py プロジェクト: amaltaro/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    if method in ('GET', 'HEAD'):
      validate_rx('match', param, safe, optional = True)

    elif method in ('PUT', 'POST'):
      validate_strlist('username', param, safe, RX_USER)
      validate_strlist('passwd', param, safe, RX_PASSWD)
      validate_lengths(safe, 'username', 'passwd')
      authz_match(role=["Global Admin"], group=["global"])

    elif method == 'DELETE':
      validate_strlist('username', param, safe, RX_USER)
      authz_match(role=["Global Admin"], group=["global"])
コード例 #15
0
ファイル: Validation.py プロジェクト: amaltaro/WMCore
def validate_request_update_args(request_args, config, reqmgr_db_service, param):
    """
    param and safe structure is RESTArgs structure: named tuple
    RESTArgs(args=[], kwargs={})

    validate post/put request
    1. read data from body
    2. validate the permission (authentication)
    3. validate state transition (against previous state from couchdb)
    2. validate using workload validation
    3. convert data from body to arguments (spec instance, argument with default setting)

    TODO: raise right kind of error with clear message
    """
    # this needs to be deleted for validation
    request_name = request_args.pop("RequestName")
    couchurl = '%s/%s' % (config.couch_host, config.couch_reqmgr_db)
    workload = WMWorkloadHelper()
    workload.loadSpecFromCouch(couchurl, request_name)

    # first validate the permission by status and request type.
    # if the status is not set only ReqMgr Admin can change the values
    # TODO for each step, assigned, approved, announce find out what other values
    # can be set
    request_args["RequestType"] = workload.requestType()
    permission = getWritePermission(request_args)
    authz_match(permission['role'], permission['group'])
    del request_args["RequestType"]

    # validate the status
    if "RequestStatus" in request_args:
        validate_state_transition(reqmgr_db_service, request_name, request_args["RequestStatus"])
        if request_args["RequestStatus"] in STATES_ALLOW_ONLY_STATE_TRANSITION:
            # if state change doesn't allow other transition nothing else to validate
            args_only_status = {}
            args_only_status["RequestStatus"] = request_args["RequestStatus"]
            args_only_status["cascade"] = request_args.get("cascade", False)
            return workload, args_only_status
        elif request_args["RequestStatus"] == 'assigned':
            workload.validateArgumentForAssignment(request_args)

    # TODO: fetch it from the assignment arg definition
    if 'RequestPriority' in request_args:
        request_args['RequestPriority'] = int(request_args['RequestPriority'])
        if (lambda x: (x >= 0 and x < 1e6))(request_args['RequestPriority']) is False:
            raise InvalidSpecParameterValue("RequestPriority must be an integer between 0 and 1e6")

    return workload, request_args
コード例 #16
0
ファイル: SiteAuth.py プロジェクト: nikmagini/sitedb
def oldsite_authz_match(api, sites, role=[], group=[], site=[], verbose=False):
    """Like authz_match, but translates site names from old to new via `api`.
  The caller must provide `sites`, an initially empty dictionary, used to
  cache site name translation lookups."""
    # Initialise cache if not yet done.
    if not sites:
        c, _ = api.execute(
            """select s.name site_name, c.name alias from site s
                          join site_cms_name_map cmap on cmap.site_id = s.id
                          join cms_name c on c.id = cmap.cms_name_id"""
        )
        for old, canonical in c:
            if old not in sites:
                sites[old] = []
            sites[old].append(canonical)

    # Remap sites. Ignore sites which don't exist, rather than raising an error.
    # This is needed so that a global admin can perform the operations on site
    # objects even if cms name mapping is missing. This does not affect authz
    # decisions if someone other than global admin attempts an operation - one
    # cannot have privileges for a site that has no CMS name.
    remapped = sum((sites[s] for s in site if s in sites), [])

    # Now perform normal authz_match.
    return authz_match(role, group, remapped, verbose)
コード例 #17
0
def validate_resubmission_create_args(request_args, config, reqmgr_db_service,
                                      *args, **kwargs):
    """
    Handle resubmission workflows, loading the spec arguments definition (and chain
    definition, if needed) and inheriting all arguments defined in the spec.
    User can also override arguments, since it uses the same mechanism as a clone.
    *arg and **kwargs are only for the interface
    """
    response = reqmgr_db_service.getRequestByNames(
        request_args["OriginalRequestName"])
    originalArgs = next(iter(viewvalues(response)))

    ### not a nice fix for #8245, but we cannot inherit the CollectionName attr
    originalArgs.pop("CollectionName", None)

    chainArgs = None
    if originalArgs["RequestType"] == 'Resubmission':
        # ACDC of ACDC, we can't validate this case
        # simply copy the whole original dictionary over and accept all args
        createArgs = originalArgs
        request_args["OriginalRequestType"] = originalArgs[
            "OriginalRequestType"]
        request_args["ResubmissionCount"] = originalArgs.get(
            "ResubmissionCount", 1) + 1
    else:
        # load arguments definition from the proper/original spec factory
        parentClass = loadSpecClassByType(originalArgs["RequestType"])
        createArgs = parentClass.getWorkloadAssignArgs()
        if originalArgs["RequestType"] in ('StepChain', 'TaskChain'):
            chainArgs = parentClass.getChainCreateArgs()
        createArgs.update(parentClass.getWorkloadCreateArgs())
        request_args["OriginalRequestType"] = originalArgs["RequestType"]

    cloned_args = initialize_clone(request_args, originalArgs, createArgs,
                                   chainArgs)
    initialize_request_args(cloned_args, config)

    permission = getWritePermission(cloned_args)
    authz_match(permission['role'], permission['group'])

    specClass = loadSpecClassByType(request_args["RequestType"])
    spec = specClass()
    workload = spec.factoryWorkloadConstruction(cloned_args["RequestName"],
                                                cloned_args)

    return workload, cloned_args
コード例 #18
0
ファイル: DataHNSync.py プロジェクト: lat/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    authz_match(role=["Global Admin"], group=["global"])
    if method == "GET":
      if not self._syncer:
        raise cherrypy.HTTPError(503, "Not running.")

    elif method in ("PUT", "POST"):
      validate_strlist('username', param, safe, RX_USER)
      validate_strlist('passwd',   param, safe, RX_PASSWD)
      validate_strlist('email',    param, safe, RX_EMAIL)
      validate_ustrlist('name',    param, safe, RX_HN_NAME)
      validate_lengths(safe, 'username', 'passwd', 'email', 'name')

      authz = cherrypy.request.user
      if authz['method'] != 'Internal' or authz['login'] != self._syncer.sectoken:
        raise cherrypy.HTTPError(403, "You are not allowed to access this resource.")
コード例 #19
0
ファイル: DataLdapSync.py プロジェクト: zdenekmaxa/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    authz_match(role=["Global Admin"], group=["global"])
    if method == "GET":
      if not self._syncer:
        raise cherrypy.HTTPError(503, "Not running.")

    elif method == "PUT":
      validate_strlist ('username', param, safe, RX_USER)
      validate_strlist ('passwd',   param, safe, RX_PASSWD)
      validate_strlist ('email',    param, safe, RX_EMAIL)
      validate_ustrlist('name',     param, safe, RX_NAME)
      validate_ustrlist('dn',       param, safe, RX_DN)
      validate_lengths(safe, 'username', 'passwd', 'email', 'name', 'dn')

      authz = cherrypy.request.user
      if authz['method'] != 'Internal' or authz['login'] != self._syncer.sectoken:
        raise cherrypy.HTTPError(403, "You are not allowed to access this resource.")
コード例 #20
0
ファイル: DataLdapSync.py プロジェクト: geneguvo/sitedb
    def validate(self, apiobj, method, api, param, safe):
        """Validate request input data."""
        authz_match(role=["Global Admin"], group=["global"])
        if method == "GET":
            if not self._syncer:
                raise cherrypy.HTTPError(503, "Not running.")

        elif method == "PUT":
            validate_strlist("username", param, safe, RX_USER)
            validate_strlist("passwd", param, safe, RX_PASSWD)
            validate_strlist("email", param, safe, RX_EMAIL)
            validate_ustrlist("name", param, safe, RX_NAME)
            validate_ustrlist("dn", param, safe, RX_DN)
            validate_lengths(safe, "username", "passwd", "email", "name", "dn")

            authz = cherrypy.request.user
            if authz["method"] != "Internal" or authz["login"] != self._syncer.sectoken:
                raise cherrypy.HTTPError(403, "You are not allowed to access this resource.")
コード例 #21
0
ファイル: DataHost.py プロジェクト: dmwm/overview
  def validate(self, apiobj, method, api, param, safe):
    if method == "GET":
      if not len(param.args) or param.args[0] not in ("ip", "name", "stats"):
        raise InvalidParameter("Missing or wrong ip/host category")
      safe.kwargs["kind"] = kind = param.args.pop(0)
      if kind == "ip":
        validate_iplist("host", param, safe)
      elif kind == "name":
        validate_strlist("host", param, safe, RXHOST)
      elif kind == "stats":
        authz_match(role=["Global Admin"], group=["global"])
        safe.kwargs["host"] = []

    elif method == "POST":
      authz_match(role=["Global Admin"], group=["global"])
      if not len(param.args) or param.args[0] not in ("stats", "purge"):
        raise InvalidParameter("Invalid operation")
      safe.kwargs["operation"] = param.args.pop(0)
コード例 #22
0
ファイル: DataRebusFetch.py プロジェクト: dmwm/sitedb
  def validate(self, apiobj, method, api, param, safe):
    """Validate request input data."""
    authz_match(role=["Global Admin"], group=["global"])
    if method == "GET":
      if not self._syncer:
        raise cherrypy.HTTPError(503, "Not running.")

    elif method == "PUT":
      validate_strlist('name', param, safe, RX_FEDERATION)
      validate_strlist('country', param, safe, RX_FEDERATION)
      validate_strlist('year', param, safe, RX_YEARS)
      validate_strlist('cpu', param, safe, RX_NUMBER)
      validate_strlist('disk', param, safe, RX_NUMBER)
      validate_strlist('tape', param, safe, RX_NUMBER)
      validate_lengths(safe, 'name', 'country', 'year', 'cpu', 'disk', 'tape')
      authz = cherrypy.request.user
      if authz['method'] != 'Internal' or authz['login'] != self._syncer.sectoken:
        raise cherrypy.HTTPError(403, "You are not allowed to access this resource.")
コード例 #23
0
    def validate(self, apiobj, method, api, param, safe):
        if method == "GET":
            if not len(param.args) or param.args[0] not in ("ip", "name",
                                                            "stats"):
                raise InvalidParameter("Missing or wrong ip/host category")
            safe.kwargs["kind"] = kind = param.args.pop(0)
            if kind == "ip":
                validate_iplist("host", param, safe)
            elif kind == "name":
                validate_strlist("host", param, safe, RXHOST)
            elif kind == "stats":
                authz_match(role=["Global Admin"], group=["global"])
                safe.kwargs["host"] = []

        elif method == "POST":
            authz_match(role=["Global Admin"], group=["global"])
            if not len(param.args) or param.args[0] not in ("stats", "purge"):
                raise InvalidParameter("Invalid operation")
            safe.kwargs["operation"] = param.args.pop(0)
コード例 #24
0
    def validate(self, apiobj, method, api, param, safe):
        """Validate request input data."""
        authz_match(role=["Global Admin"], group=["global"])
        if method == "GET":
            if not self._syncer:
                raise cherrypy.HTTPError(503, "Not running.")

        elif method == "PUT":
            validate_strlist('name', param, safe, RX_FEDERATION)
            validate_strlist('country', param, safe, RX_FEDERATION)
            validate_strlist('year', param, safe, RX_YEARS)
            validate_strlist('cpu', param, safe, RX_NUMBER)
            validate_strlist('disk', param, safe, RX_NUMBER)
            validate_strlist('tape', param, safe, RX_NUMBER)
            validate_lengths(safe, 'name', 'country', 'year', 'cpu', 'disk',
                             'tape')
            authz = cherrypy.request.user
            if authz['method'] != 'Internal' or authz[
                    'login'] != self._syncer.sectoken:
                raise cherrypy.HTTPError(
                    403, "You are not allowed to access this resource.")
コード例 #25
0
def validate_clone_create_args(request_args, config, reqmgr_db_service, *args,
                               **kwargs):
    """
    Handle clone workflows through the clone API, by loading the spec arguments
    definition (and chain definition, if needed) and inheriting all arguments defined
    in the spec.
    *arg and **kwargs are only for the interface
    """
    response = reqmgr_db_service.getRequestByNames(
        request_args.pop("OriginalRequestName"))
    originalArgs = response.values()[0]

    chainArgs = None
    specClass = loadSpecClassByType(originalArgs["RequestType"])
    if originalArgs["RequestType"] == 'Resubmission':
        # cloning an ACDC, nothing that we can validate
        # simply copy the whole original dictionary over and accept all args
        createArgs = originalArgs
    else:
        # load arguments definition from the proper/original spec factory
        createArgs = specClass.getWorkloadCreateArgs()
        if originalArgs["RequestType"] in ('StepChain', 'TaskChain'):
            chainArgs = specClass.getChainCreateArgs()

    cloned_args = initialize_clone(request_args, originalArgs, createArgs,
                                   chainArgs)
    initialize_request_args(cloned_args, config)

    ### TODO: backwards compatibility. Remove these 2 lines in ~HG1805
    cloned_args.pop('MaxRSS', None)
    cloned_args.pop('MaxVSize', None)

    permission = getWritePermission(cloned_args)
    authz_match(permission['role'], permission['group'])

    spec = specClass()
    workload = spec.factoryWorkloadConstruction(cloned_args["RequestName"],
                                                cloned_args)

    return workload, cloned_args
コード例 #26
0
    def validate(self, apiobj, method, api, param, safe):
        """Validate request input data."""
        if method in ('GET', 'HEAD'):
            validate_rx('match', param, safe, optional=True)

        elif method in ('PUT', 'POST'):
            validate_strlist('username', param, safe, RX_USER)
            validate_strlist('email', param, safe, RX_EMAIL)
            validate_ustrlist('forename', param, safe, RX_NAME)
            validate_ustrlist('surname', param, safe, RX_NAME)
            validate_ustrlist('dn', param, safe, RX_DN)
            validate_strlist('phone1', param, safe, RX_PHONE)
            validate_strlist('phone2', param, safe, RX_PHONE)
            validate_strlist('im_handle', param, safe, RX_IM)
            validate_lengths(safe, 'username', 'email', 'forename', 'surname',
                             'dn', 'phone1', 'phone2', 'im_handle')

            mydn = cherrypy.request.user['dn']
            me = cherrypy.request.user['login']
            for user, dn in zip(safe.kwargs['username'], safe.kwargs['dn']):
                if (method != 'POST' or user != me or dn != mydn):
                    try:
                        authz_match(role=["Global Admin"], group=["global"])
                    except HTTPError:
                        authz_match(role=["Operator"], group=["SiteDB"])

        elif method == 'DELETE':
            validate_strlist('username', param, safe, RX_USER)
            authz_match(role=["Global Admin"], group=["global"])
コード例 #27
0
ファイル: Validation.py プロジェクト: dmwm/WMCore
def validate_resubmission_create_args(request_args, config, reqmgr_db_service, *args, **kwargs):
    """
    Handle resubmission workflows, loading the spec arguments definition (and chain
    definition, if needed) and inheriting all arguments defined in the spec.
    User can also override arguments, since it uses the same mechanism as a clone.
    *arg and **kwargs are only for the interface
    """
    response = reqmgr_db_service.getRequestByNames(request_args["OriginalRequestName"])
    originalArgs = response.values()[0]

    ### not a nice fix for #8245, but we cannot inherit the CollectionName attr
    originalArgs.pop("CollectionName", None)

    chainArgs = None
    if originalArgs["RequestType"] == 'Resubmission':
        # ACDC of ACDC, we can't validate this case
        # simply copy the whole original dictionary over and accept all args
        createArgs = originalArgs
        request_args["OriginalRequestType"] = originalArgs["OriginalRequestType"]
        request_args["ResubmissionCount"] = originalArgs.get("ResubmissionCount", 1) + 1
    else:
        # load arguments definition from the proper/original spec factory
        parentClass = loadSpecClassByType(originalArgs["RequestType"])
        createArgs = parentClass.getWorkloadAssignArgs()
        if originalArgs["RequestType"] in ('StepChain', 'TaskChain'):
            chainArgs = parentClass.getChainCreateArgs()
        createArgs.update(parentClass.getWorkloadCreateArgs())
        request_args["OriginalRequestType"] = originalArgs["RequestType"]

    cloned_args = initialize_clone(request_args, originalArgs, createArgs, chainArgs)
    initialize_request_args(cloned_args, config)

    permission = getWritePermission(cloned_args)
    authz_match(permission['role'], permission['group'])

    specClass = loadSpecClassByType(request_args["RequestType"])
    spec = specClass()
    workload = spec.factoryWorkloadConstruction(cloned_args["RequestName"], cloned_args)

    return workload, cloned_args
コード例 #28
0
ファイル: Validation.py プロジェクト: tsarangi/WMCore
def validate_request_create_args(request_args, config, *args, **kwargs):
    """
    *arg and **kwargs are only for the interface
    validate post request
    1. read data from body
    2. validate using spec validation
    3. convert data from body to arguments (spec instance, argument with default setting) 
    TODO: rasie right kind of error with clear message 
    """

    initialize_request_args(request_args, config)
    #check the permission for creating the request
    permission = getWritePermission(request_args)
    authz_match(permission['role'], permission['group'])

    # get the spec type and validate arguments
    spec = loadSpecByType(request_args["RequestType"])
    if request_args["RequestType"] == "Resubmission":
        request_args["OriginalRequestCouchURL"] = '%s/%s' % (
            config.couch_host, config.couch_reqmgr_db)
    workload = spec.factoryWorkloadConstruction(request_args["RequestName"],
                                                request_args)
    return workload, request_args
コード例 #29
0
    def validate(self, apiobj, method, api, param, safe):
        """Validate request input data."""
        if method in ('GET', 'HEAD'):
            validate_rx('match', param, safe, optional=True)

        elif method in ('PUT', 'POST'):
            validate_strlist('site_name', param, safe, RX_SITE)
            validate_strlist('tier', param, safe, RX_TIER)
            validate_ustrlist('country', param, safe, RX_COUNTRY)
            validate_strlist('usage', param, safe, RX_USAGE)
            validate_strlist('url', param, safe, RX_URL)
            validate_strlist('logo_url', param, safe, RX_URL)
            validate_strlist('devel_release', param, safe, RX_YES_NO)
            validate_strlist('manual_install', param, safe, RX_YES_NO)
            validate_lengths(safe, 'site_name', 'tier', 'country', 'usage',
                             'url', 'logo_url', 'devel_release',
                             'manual_install')

        elif method == 'DELETE':
            validate_strlist('site_name', param, safe, RX_SITE)

        # Delay POST authz until we have database connection for name remapping.
        if method in ('PUT', 'DELETE'):
            authz_match(role=["Global Admin"], group=["global"])
コード例 #30
0
ファイル: SiteAuth.py プロジェクト: zdenekmaxa/sitedb
def oldsite_authz_match(api, sites, role=[], group=[], site=[], verbose=False):
  """Like authz_match, but translates site names from old to new via `api`.
  The caller must provide `sites`, an initially empty dictionary, used to
  cache site name translation lookups."""
  # Initialise cache if not yet done.
  if not sites:
    c, _ = api.execute("""select s.name site_name, c.name alias from site s
                          join site_cms_name_map cmap on cmap.site_id = s.id
                          join cms_name c on c.id = cmap.cms_name_id""")
    for old, canonical in c:
      if old not in sites:
        sites[old] = []
      sites[old].append(canonical)

  # Remap sites. Ignore sites which don't exist, rather than raising an error.
  # This is needed so that a global admin can perform the operations on site
  # objects even if cms name mapping is missing. This does not affect authz
  # decisions if someone other than global admin attempts an operation - one
  # cannot have privileges for a site that has no CMS name.
  remapped = sum((sites[s] for s in site if s in sites), [])

  # Now perform normal authz_match.
  return authz_match(role, group, remapped, verbose)
コード例 #31
0
ファイル: Validation.py プロジェクト: johnhcasallasl/WMCore
def validate_request_update_args(request_args, config, reqmgr_db_service, param):
    """
    param and safe structure is RESTArgs structure: named tuple
    RESTArgs(args=[], kwargs={})
    
    validate post/put request
    1. read data from body
    2. validate the permission (authentication)
    3. validate state transition (against previous state from couchdb)
    2. validate using workload validation
    3. convert data from body to arguments (spec instance, argument with default setting)
    
    TODO: raise right kind of error with clear message
    """
    # this needs to be deleted for validation
    request_name = request_args.pop("RequestName")
    couchurl = '%s/%s' % (config.couch_host, config.couch_reqmgr_db)
    workload = WMWorkloadHelper()
    workload.loadSpecFromCouch(couchurl, request_name)

    # first validate the permission by status and request type.
    # if the status is not set only ReqMgr Admin can change the values
    # TODO for each step, assigned, approved, announce find out what other values
    # can be set
    request_args["RequestType"] = workload.requestType()
    permission = getWritePermission(request_args)
    authz_match(permission['role'], permission['group'])
    del request_args["RequestType"]

    # validate the status
    if "RequestStatus" in request_args:
        validate_state_transition(reqmgr_db_service, request_name, request_args["RequestStatus"])
        # delete request_args since it is not part of spec argument and validation
        if request_args["RequestStatus"] not in STATES_ALLOW_ONLY_STATE_TRANSITION:
            args_without_status = {}
            args_without_status.update(request_args)
            del args_without_status["RequestStatus"]
        else:
            #if state change doesn't allow other transition nothing else to validate
            args_only_status = {}
            args_only_status["RequestStatus"] = request_args["RequestStatus"]
            return  workload, args_only_status 
    else:
        args_without_status = request_args

    if len(args_without_status) == 1:
        if 'RequestPriority' in args_without_status:
            args_without_status['RequestPriority'] = int(args_without_status['RequestPriority'])
            if (lambda x: (x >= 0 and x < 1e6))(args_without_status['RequestPriority']) is False:
                raise InvalidSpecParameterValue("RequestPriority must be an integer between 0 and 1e6")
            if "RequestStatus" in request_args:
                return workload, request_args
            else:
                return workload, args_without_status
        elif 'cascade' in args_without_status:
            # status was already validated
            return workload, request_args
    elif len(args_without_status) > 0 and not workqueue_stat_validation(args_without_status):
        # validate the arguments against the spec argumentSpecdefinition
        # TODO: currently only assigned status allows any update other then Status update
        workload.validateArgumentForAssignment(args_without_status)

    # to update request_args with type conversion
    request_args.update(args_without_status)
    return workload, request_args