def setNotificationBannerText(self, notification_b64):
"""
Sets the notification banner remove_products_except.
Bevare: This method only works if the use is a SUPERUSER.
"""
self.__require_supermission()
notification = base64.b64decode(notification_b64).decode('utf-8')
with DBSession(self.__session) as session:
notificationQuery = session.query(Configuration) \
.filter(
Configuration.config_key == 'notification_banner_text') \
.one_or_none()
if notificationQuery is None:
conf = Configuration('notification_banner_text', notification)
session.add(conf)
session.flush()
else:
# update it
notificationQuery.config_value = notification
session.commit()
session.close()
def removeToken(self, token):
"""
Removes the given personal access token of the logged in user.
"""
self.__require_privilaged_access()
with DBSession(self.__config_db) as session:
# Check if the given token is a personal access token so it can be
# removed.
user = self.getLoggedInUser()
num_of_removed = session.query(Session) \
.filter(Session.user_name == user) \
.filter(Session.token == token) \
.filter(Session.can_expire.is_(False)) \
.delete(synchronize_session=False)
session.commit()
if not num_of_removed:
raise shared.ttypes.RequestFailed(
shared.ttypes.ErrorCode.DATABASE,
"Personal access token {0} was not found in the "
"database.".format(token))
# Invalidate the local session by token.
self.__manager.invalidate_local_session(token)
return True
def hasPermission(self, permission, extra_params):
"""
Returns whether or not the current logged-in user (or guest, if
authentication is disabled) is granted the given permission.
This method observes permission inheritance.
"""
with DBSession(self.__config_db) as session:
perm, params = ThriftAuthHandler.__create_permission_args(
permission, extra_params, session)
return require_permission(perm, params, self.__auth_session)
def newToken(self, description):
"""
Generate a new personal access token with the given description.
"""
self.__require_privilaged_access()
with DBSession(self.__config_db) as session:
token = generate_session_token()
user = self.getLoggedInUser()
session_token = Session(token, user, None, description, False)
session.add(session_token)
session.commit()
return SessionTokenData(token, description,
str(session_token.last_access))
def getNotificationBannerText(self):
"""
Retrieves the notification banner text.
"""
notificationString = ''
with DBSession(self.__session) as session:
notificationQuery = session.query(Configuration) \
.filter(
Configuration.config_key == 'notification_banner_text') \
.one_or_none()
if notificationQuery is not None:
notificationString = notificationQuery.config_value
return base64.b64encode(notificationString.encode('utf-8'))
def getTokens(self):
"""
Get available personal access tokens of the logged in user.
"""
self.__require_privilaged_access()
with DBSession(self.__config_db) as session:
user = self.getLoggedInUser()
sessionTokens = session.query(Session) \
.filter(Session.user_name == user) \
.filter(Session.can_expire.is_(False)) \
.all()
result = []
for t in sessionTokens:
result.append(
SessionTokenData(t.token, t.description,
str(t.last_access)))
return result
def removePermission(self, permission, auth_name, is_group, extra_params):
"""
Removes the given permission from the user or group auth_name.
"""
with DBSession(self.__config_db) as session:
perm, params = ThriftAuthHandler.__create_permission_args(
permission, extra_params, session)
if not require_manager(perm, params, self.__auth_session):
raise shared.ttypes.RequestFailed(
shared.ttypes.ErrorCode.UNAUTHORIZED,
"You can not manage the permission '{0}'".format(
perm.name))
handler = make_handler(perm, params)
handler.remove_permission(auth_name, is_group)
session.commit()
return True
def newToken(self, description):
"""
Generate a new personal access token with the given description.
"""
self.__require_privilaged_access()
with DBSession(self.__config_db) as session:
token = generate_session_token()
user = self.getLoggedInUser()
groups = ';'.join(self.__auth_session.groups)
session_token = Session(token, user, groups, description, False)
session.add(session_token)
session.commit()
LOG.info("New personal access token '%s...' has been generated "
"by '%s'.", token[:5], self.getLoggedInUser())
return SessionTokenData(token,
description,
str(session_token.last_access))
def getPermissionsForUser(self, scope, extra_params, perm_filter):
"""
Returns the permissions in the given permission scope and with the
given scope-specific extra_params for the current logged in user,
based on the permission filters.
Filters in the perm_filter struct are joined in an AND clause.
"""
if perm_filter is None or not any(perm_filter.__dict__.values()):
# If no filtering is needed, this function behaves identically
# to getPermissions().
return self.getPermissions(scope)
with DBSession(self.__config_db) as session:
# The database connection must always be passed to the permission
# handler.
params = ThriftAuthHandler.__unpack_extra_params(extra_params,
session)
perms = []
for perm in permissions.get_permissions(scope):
should_return = True
handler = make_handler(perm, params)
if should_return and perm_filter.given:
should_return = handler.has_permission(self.__auth_session)
if should_return and perm_filter.canManage:
# If the user has any of the permissions that are
# authorised to manage the currently iterated permission,
# the filter passes.
should_return = require_manager(
perm, params, self.__auth_session)
if should_return:
perms.append(perm)
return [permissions.api_enum_for_permission(p)
for p in perms]
def getAuthorisedNames(self, permission, extra_params):
"""
Returns the users and groups who were EXPLICITLY granted a particular
permission.
"""
with DBSession(self.__config_db) as session:
perm, params = ThriftAuthHandler.__create_permission_args(
permission, extra_params, session)
if not require_manager(perm, params, self.__auth_session):
raise shared.ttypes.RequestFailed(
shared.ttypes.ErrorCode.UNAUTHORIZED,
"You can not manage the permission '{0}'".format(
perm.name))
handler = make_handler(perm, params)
users, groups = handler.list_permitted()
# The special default permission marker is an internal value.
users = filter(lambda user: user != '*', users)
return AuthorisationList(users, groups)
