def test_find_security_policies(self):
find_policies = self.mock_connection.return_value\
.find_security_policies
RowLevelSecurityManager.find_security_policies(
repo_base=self.repo_base,
repo=self.repo,
table=self.table,
policy="visible='True",
policy_type="insert",
grantee="test",
grantor="test_grantor")
self.assertTrue(find_policies.called)
def find_table_policies(self, table, repo, policytype, repo_base):
'''
Look up policies associated with the table and repo and returns a
list of all the policies defined for the user.
'''
if repo_base is None:
repo_base = self.repo_base
# policies that are meant to apply to specific users
user_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=self.user,
safe=False)
# policies that are meant to apply to all users
all_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=settings.RLS_ALL,
safe=False)
# People collaborating on this repo
collaborators = Collaborator.objects.filter(repo_base=repo_base,
repo_name=repo)
# If the user is not explicitly granted access, also load the
# public_policies
public_policies = []
if self.user not in collaborators:
public_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=settings.RLS_PUBLIC,
safe=False)
security_policies = user_policies + all_policies + public_policies
result = []
for policy_tuple in security_policies:
result.append(policy_tuple.policy)
return result
def find_table_policies(self, table, repo, policytype, repo_base):
'''
Look up policies associated with the table and repo and returns a
list of all the policies defined for the user.
'''
if repo_base is None:
repo_base = self.repo_base
# policies that are meant to apply to specific users
user_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=self.user,
safe=False)
# policies that are meant to apply to all users
all_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=settings.RLS_ALL,
safe=False)
# People collaborating on this repo
collaborators = Collaborator.objects.filter(repo_base=repo_base,
repo_name=repo)
# If the user is not explicitly granted access, also load the
# public_policies
public_policies = []
if self.user not in collaborators:
public_policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
policy_type=policytype,
grantee=settings.RLS_PUBLIC,
safe=False)
security_policies = user_policies + all_policies + public_policies
result = []
for policy_tuple in security_policies:
result.append(policy_tuple.policy)
return result
def security_policies(request, repo_base, repo, table):
'''
Shows the security policies defined for a table.
'''
username = request.user.get_username()
# get the security policies on a given repo.table
try:
policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base,
repo=repo,
table=table,
grantor=username,
safe=True)
except LookupError:
policies = []
# repack the named tuples. This is a bit of a hack, (since we could just
# get the view to display named tuples)
# but is happening for expediency
policies = [(p.id, p.policy, p.policy_type, p.grantee, p.grantor)
for p in policies]
res = {
'login': username,
'repo_base': repo_base,
'repo': repo,
'table': table,
'policies': policies
}
res.update(csrf(request))
return render_to_response("security-policies.html", res)
def security_policies(request, repo_base, repo, table):
'''
Shows the security policies defined for a table.
'''
username = request.user.get_username()
# get the security policies on a given repo.table
try:
policies = RowLevelSecurityManager.find_security_policies(
repo_base=repo_base, repo=repo, table=table, grantor=username,
safe=True)
except LookupError:
policies = []
# repack the named tuples. This is a bit of a hack, (since we could just
# get the view to display named tuples)
# but is happening for expediency
policies = [(p.id, p.policy, p.policy_type, p.grantee, p.grantor)
for p in policies]
res = {
'login': username,
'repo_base': repo_base,
'repo': repo,
'table': table,
'policies': policies}
res.update(csrf(request))
return render_to_response("security-policies.html", res)
def find_security_policies(
self, repo=None, table=None, policy_id=None,
policy=None, policy_type=None, grantee=None):
res = RowLevelSecurityManager.find_security_policies(
repo_base=self.username, repo=repo, table=table,
policy_id=policy_id, policy=policy, policy_type=policy_type,
grantee=grantee, grantor=self.username, safe=True)
policies = [p._asdict() for p in res]
return policies
def process_permissions(self, permission):
'''
Takes in the SQL permissions statement, extracts all the necessary
components (permission type, grantee, repo_name, table_name, and
permission) and creates a security policy for it in the policy table.
'''
permission_type = self.extract_permission_type(permission)
access_type = self.extract_access_type(permission)
grantee = self.extract_grantee(permission)
extract_table_info = self.extract_table_info(permission)
policy = self.extract_policy(permission)
repo = extract_table_info[0]
table = extract_table_info[1]
if permission_type == "grant":
RowLevelSecurityManager.create_security_policy(
policy=policy,
policy_type=access_type,
grantee=grantee,
grantor=self.user,
repo_base=self.repo_base,
repo=repo,
table=table)
else:
# Need to remove policy if it is remove
policies = RowLevelSecurityManager.find_security_policies(
repo_base=self.repo_base,
repo=repo,
table=table,
policy=policy,
policy_type=access_type,
grantee=grantee,
grantor=self.user,
safe=False)
if len(policies) == 1:
RowLevelSecurityManager.remove_security_policy(
policy_id=policy[0][0],
username=self.user,
repo_base=self.repo_base)
else:
raise Exception('Error identifying security policy.')
def process_permissions(self, permission):
'''
Takes in the SQL permissions statement, extracts all the necessary
components (permission type, grantee, repo_name, table_name, and
permission) and creates a security policy for it in the policy table.
'''
permission_type = self.extract_permission_type(permission)
access_type = self.extract_access_type(permission)
grantee = self.extract_grantee(permission)
extract_table_info = self.extract_table_info(permission)
policy = self.extract_policy(permission)
repo = extract_table_info[0]
table = extract_table_info[1]
if permission_type == "grant":
RowLevelSecurityManager.create_security_policy(
policy=policy,
policy_type=access_type,
grantee=grantee,
grantor=self.user,
repo_base=self.repo_base,
repo=repo,
table=table)
else:
# Need to remove policy if it is remove
policies = RowLevelSecurityManager.find_security_policies(
repo_base=self.repo_base,
repo=repo,
table=table,
policy=policy,
policy_type=access_type,
grantee=grantee,
grantor=self.user,
safe=False)
if len(policies) == 1:
RowLevelSecurityManager.remove_security_policy(
policy_id=policy[0][0], username=self.user,
repo_base=self.repo_base)
else:
raise Exception('Error identifying security policy.')