def testRepositoryMismatch(self):
try:
raise errors.RepositoryMismatch('right', 'wrong')
except Exception, err:
assert (str(err) ==
'Repository name mismatch. The correct repository name '
'is "right", but it was accessed as "wrong". Check for '
'incorrect repositoryMap configuration entries.')
def commitCheck(self, authToken, nameVersionList):
""" checks that we can commit to a list of (name, version) tuples """
self.log(3, authToken[0], "entitlements=%s" % (authToken[2], ),
nameVersionList)
checkDict = {}
# nameVersionList can actually be an iterator, so we need to keep
# a list of the trove names we're dealing with
troveList = []
# first check that we handle all the labels we're asked about
for i, (n, v) in enumerate(nameVersionList):
label = v.branch().label()
if label.getHost() not in self.serverNameList:
raise errors.RepositoryMismatch(self.serverNameList,
label.getHost())
l = checkDict.setdefault(label.asString(), set())
troveList.append(n)
l.add(i)
# default to all failing
retlist = [False] * len(troveList)
if not authToken[0]:
return retlist
# check groupIds. this is the same as the self.check() function
cu = self.db.cursor()
try:
groupIds = self.getAuthRoles(cu, authToken)
except errors.InsufficientPermission:
return retlist
if not len(groupIds):
return retlist
# build the query statement for permissions check
stmt = """
select Items.item
from Permissions join Items using (itemId)
"""
where = ["Permissions.canWrite=1"]
where.append("Permissions.userGroupId IN (%s)" %
",".join("%d" % x for x in groupIds))
if len(checkDict):
where.append("""(
Permissions.labelId = 0 OR
Permissions.labelId in (select labelId from Labels where label=?)
)""")
stmt += "WHERE " + " AND ".join(where)
# we need to test for each label separately in case we have
# mutiple troves living of multiple lables with different
# permission settings
for label in checkDict.iterkeys():
cu.execute(stmt, label)
patterns = [x[0] for x in cu]
for i in checkDict[label]:
for pattern in patterns:
if self.checkTrove(pattern, troveList[i]):
retlist[i] = True
break
return retlist
def batchCheck(self, authToken, troveList, write=False, cu=None):
""" checks access permissions for a set of *existing* troves in the repository """
# troveTupList is a list of (name, VFS) tuples
self.log(3, authToken[0],
"entitlements=%s write=%s" % (authToken[2], int(bool(write))),
troveList)
# process/check the troveList, which can be an iterator
checkList = []
for i, (n, v, f) in enumerate(troveList):
h = versions.VersionFromString(v).getHost()
if h not in self.serverNameList:
raise errors.RepositoryMismatch(self.serverNameList, h)
checkList.append((i, n, v, f))
# default to all failing
retlist = [False] * len(checkList)
if not authToken[0]:
return retlist
# check groupIds
if cu is None:
cu = self.db.cursor()
try:
groupIds = self.getAuthRoles(cu, authToken)
except errors.InsufficientPermission:
return retlist
if not len(groupIds):
return retlist
resetTable(cu, "tmpNVF")
self.db.bulkload("tmpNVF",
checkList, ["idx", "name", "version", "flavor"],
start_transaction=False)
self.db.analyze("tmpNVF")
writeCheck = ''
if write:
writeCheck = "and ugi.canWrite = 1"
cu.execute("""
select t.idx, i.instanceId
from tmpNVF as t
join Items on t.name = Items.item
join Versions on t.version = Versions.version
join Flavors on t.flavor = Flavors.flavor
join Instances as i on
i.itemId = Items.itemId and
i.versionId = Versions.versionId and
i.flavorId = Flavors.flavorId
join UserGroupInstancesCache as ugi on i.instanceId = ugi.instanceId
where ugi.userGroupId in (%s)
%s""" % (",".join("%d" % x for x in groupIds), writeCheck))
for i, instanceId in cu:
retlist[i] = True
return retlist
def getFileContents(self, itemList):
contents = []
for item in itemList:
(fileId, fileVersion) = item[0:2]
# the get trove netclient provides doesn't work with a
# FilesystemRepository (it needs to create a change set which gets
# passed)
if fileVersion.getHost() in self.serverNameList:
fileObj = item[2]
cont = filecontents.FromDataStore(self.contentsStore,
fileObj.contents.sha1())
else:
raise errors.RepositoryMismatch(self.serverNameList,
fileVersion.getHost())
contents.append(cont)
return contents
def getFileVersion(self, pathId, fileId, fileVersion, withContents = 0):
# the get trove netclient provides doesn't work with a
# FilesystemRepository (it needs to create a change set which gets
# passed)
if fileVersion.getHost() not in self.serverNameList:
raise errors.RepositoryMismatch(self.serverNameList,
fileVersion.getHost())
fileObj = self.troveStore.getFile(pathId, fileId)
if withContents:
if fileObj.hasContents:
cont = filecontents.FromDataStore(self.contentsStore,
file.contents.sha1())
else:
cont = None
return (fileObj, cont)
return fileObj
def check(self,
authToken,
write=False,
label=None,
trove=None,
remove=False,
allowAnonymous=True):
self.log(
3, authToken[0],
"entitlements=%s write=%s label=%s trove=%s remove=%s" %
(authToken[2], int(bool(write)), label, trove, int(bool(remove))))
if label and label.getHost() not in self.serverNameList:
raise errors.RepositoryMismatch(self.serverNameList,
label.getHost())
if not authToken[0]:
return False
cu = self.db.cursor()
try:
groupIds = self.getAuthRoles(cu,
authToken,
allowAnonymous=allowAnonymous)
except errors.InsufficientPermission:
return False
if len(groupIds) < 1:
return False
elif not label and not trove and not remove and not write:
# no more checks to do -- the authentication information is valid
return True
stmt = """
select Items.item
from Permissions join items using (itemId)
"""
params = []
where = []
if len(groupIds):
where.append("Permissions.userGroupId IN (%s)" %
",".join("%d" % x for x in groupIds))
if label:
where.append("""
(
Permissions.labelId = 0 OR
Permissions.labelId in
( select labelId from Labels where Labels.label = ? )
)
""")
params.append(label.asString())
if write:
where.append("Permissions.canWrite=1")
if remove:
where.append("Permissions.canRemove=1")
if where:
stmt += "WHERE " + " AND ".join(where)
self.log(4, stmt, params)
cu.execute(stmt, params)
for (pattern, ) in cu:
if self.checkTrove(pattern, trove):
return True
return False