def test_auth_failed_exception(): gen_perms_apply_data = MagicMock(return_value="gen_perms_apply_data_token") with patch("iam.exceptions.gen_perms_apply_data", gen_perms_apply_data): abe = AuthFailedException("system", "subject", "action", ["resources"]) data = abe.perms_apply_data() assert data == "gen_perms_apply_data_token" gen_perms_apply_data.assert_called_once_with( "system", "subject", [{ "action": "action", "resources_list": [["resources"]] }])
def create_detail(self, object_list, bundle): system = self.helper.system subject = self.helper.get_subject(bundle) action = Action(self.helper.create_action) resources = self.helper.get_create_detail_resources(bundle) request = Request( system, subject, action, resources, self.helper.get_create_detail_environment(bundle), ) allowed = self.iam.is_allowed(request) logger.debug( "tastypie create_detail is_allowed request({}) result: {}".format( request.to_dict(), allowed)) if not allowed: raise ImmediateHttpResponse( IAMAuthFailedResponse( AuthFailedException(system, subject, action, resources))) return allowed
def allow_or_raise_immediate_response(iam, system, subject, action, resources, environment=None): request = Request(system, subject, action, resources, environment) allowed = iam.is_allowed(request) if not allowed: raise ImmediateHttpResponse(IAMAuthFailedResponse(AuthFailedException(system, subject, action, resources))) return
def process(self, request, *args, **kwargs): subject = Subject("user", request.user.username) action = Action(self.action) request = Request(IAMMeta.SYSTEM_ID, subject, action, [], {}) allowed = iam.is_allowed(request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, action, [])
def iam_resource_auth_or_raise(username, action, resource_id=None, get_resource_func=None): iam = get_iam_client() action = Action(action) subject = Subject("user", username) resources = None if get_resource_func: resources = getattr(res_factory, get_resource_func)(resource_id) request = Request(IAMMeta.SYSTEM_ID, subject, action, resources or [], {}) if not iam.is_allowed(request): raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, action, resources or [])
def process(self, request, *args, **kwargs): task_id = self.get_task_id(request, *args, **kwargs) subject = Subject("user", request.user.username) action = Action(self.action) resources = res_factory.resources_for_task(task_id) request = Request(IAMMeta.SYSTEM_ID, subject, action, resources, {}) allowed = iam.is_allowed_with_cache(request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, action, resources)
def process(self, request, *args, **kwargs): template_id = request.GET.get("template_id") subject = Subject("user", request.user.username) action = Action(IAMMeta.FLOW_VIEW_ACTION) resources = res_factory.resources_for_flow(template_id) request = Request(IAMMeta.SYSTEM_ID, subject, action, resources, {}) allowed = iam.is_allowed(request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, action, resources)
def process(self, request, *args, **kwargs): project_id = kwargs["project_id"] templates_data = read_template_data_file( request.FILES["data_file"])["data"]["template_data"] request.FILES["data_file"].seek(0) override = string_to_boolean(request.POST["override"]) check_info = TaskTemplate.objects.import_operation_check( templates_data, project_id) subject = Subject("user", request.user.username) create_action = Action(IAMMeta.FLOW_CREATE_ACTION) project_resources = res_factory.resources_for_project(project_id) create_request = Request(IAMMeta.SYSTEM_ID, subject, create_action, project_resources, {}) # check flow create permission if not override: allowed = iam.is_allowed(create_request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, create_action, project_resources) else: # check flow create permission if len(check_info["new_template"]) != len( check_info["override_template"]): allowed = iam.is_allowed(create_request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, create_action, project_resources) # check flow edit permission if check_info["override_template"]: tids = [ template_info["id"] for template_info in check_info["override_template"] ] resources_list = res_factory.resources_list_for_flows(tids) if not resources_list: return resources_map = {} for resources in resources_list: resources_map[resources[0].id] = resources edit_action = Action(IAMMeta.FLOW_EDIT_ACTION) edit_request = Request(IAMMeta.SYSTEM_ID, subject, edit_action, [], {}) result = iam.batch_is_allowed(edit_request, resources_list) if not result: raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject, edit_action, resources_list) not_allowed_list = [] for tid, allow in result.items(): if not allow: not_allowed_list.append(resources_map[tid]) if not_allowed_list: raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject, edit_action, not_allowed_list)