def test_test(self): auth = getUtility(IAuthentication, context=None) auth.registerPrincipal(User('user1')) auth.registerPrincipal(User('user2')) # setup some fake permissions to the test principals prinperG.grantPermissionToPrincipal('read', 'user1') prinperG.grantPermissionToPrincipal('zope.Nothing', 'user2') # set up interactions interaction_user1 = self._get_interaction('user1') interaction_user2 = self._get_interaction('user2') # get the object being secured compute = self.make_compute() eq_(compute.architecture, 'linux') # get the proxies for the corresponding interactions compute_proxy_user1 = proxy_factory(compute, interaction_user1) compute_proxy_user2 = proxy_factory(compute, interaction_user2) # check an authorized access eq_(compute_proxy_user1.architecture, 'linux') # check an unauthorized access with assert_raises(Unauthorized): eq_(compute_proxy_user2.architecture, 'linux') # check a default unauthorized access with assert_raises(Unauthorized): eq_(compute_proxy_user1.state, 'active')
def handle_request(self, request): """Takes a request, maps it to a domain object and a corresponding IHttpRestView and returns the rendered output of that view. """ principal = self.check_auth(request) oms_root = db.get_root()['oms_root'] objs, unresolved_path = traverse_path(oms_root, request.path[1:]) if not objs and unresolved_path: objs = [oms_root] obj = objs[-1] interaction = self.get_interaction(request, principal) request.interaction = interaction if self.use_security_proxy: obj = proxy_factory(obj, interaction) view = self.find_view(obj, unresolved_path, request) needs_rw_transaction = view.rw_transaction(request) # create a security proxy if we have a secured interaction if interaction: try: view = proxy_factory(view, interaction) except: # XXX: TODO: define a real exception for this proxy creation error # right now we want to ignore security when there are no declared rules # on how to secure a view pass def get_renderer(view, method): try: return getattr(view, method, None) except zope.security.interfaces.Unauthorized: raise Forbidden('User does not have permission to access this resource') for method in ('render_' + request.method, 'render_' + request.method.lower(), 'render'): renderer = get_renderer(view, method) if renderer: from opennode.oms.endpoint.httprest.auth import AuthView if isinstance(view, AuthView) and renderer.__name__ == 'render': res = renderer(request, self.use_keystone_tokens) else: res = renderer(request) return res if needs_rw_transaction else db.RollbackValue(res) raise NotImplementedError("Method %s is not implemented in %s\n" % (request.method, view))
def handle_request(self, request): """Takes a request, maps it to a domain object and a corresponding IHttpRestView and returns the rendered output of that view. """ token = self.get_token(request) oms_root = db.get_root()['oms_root'] objs, unresolved_path = traverse_path(oms_root, request.path[1:]) if not objs and unresolved_path: objs = [oms_root] obj = objs[-1] interaction = self.get_interaction(request, token) request.interaction = interaction if self.use_security_proxy: obj = proxy_factory(obj, interaction) view = self.find_view(obj, unresolved_path, request) needs_rw_transaction = view.rw_transaction(request) # create a security proxy if we have a secured interaction if interaction: try: view = proxy_factory(view, interaction) except: # XXX: TODO: define a real exception for this proxy creation error # right now we want to ignore security when there are no declared rules # on how to secure a view pass def get_renderer(view, method): try: return getattr(view, method, None) except zope.security.interfaces.Unauthorized, e: from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility auth_util = getUtility(IHttpRestAuthenticationUtility) if token or not auth_util.get_basic_auth_credentials(request) or \ (self.use_keystone_tokens and not auth_util.get_keystone_auth_credentials(request)): raise Forbidden( 'User does not have permission to access this resource' ) raise Unauthorized()
def traverse(self, path): objs, unresolved_path = self.traverse_full(path) if not objs or unresolved_path: return elif self.protocol.use_security_proxy: return proxy_factory(objs[-1], self.protocol.interaction) else: return objs[-1]
def handle_request(self, request): """Takes a request, maps it to a domain object and a corresponding IHttpRestView and returns the rendered output of that view. """ token = self.get_token(request) oms_root = db.get_root()['oms_root'] objs, unresolved_path = traverse_path(oms_root, request.path[1:]) if not objs and unresolved_path: objs = [oms_root] obj = objs[-1] interaction = self.get_interaction(request, token) request.interaction = interaction if self.use_security_proxy: obj = proxy_factory(obj, interaction) view = self.find_view(obj, unresolved_path, request) needs_rw_transaction = view.rw_transaction(request) # create a security proxy if we have a secured interaction if interaction: try: view = proxy_factory(view, interaction) except: # XXX: TODO: define a real exception for this proxy creation error # right now we want to ignore security when there are no declared rules # on how to secure a view pass def get_renderer(view, method): try: return getattr(view, method, None) except zope.security.interfaces.Unauthorized, e: from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility auth_util = getUtility(IHttpRestAuthenticationUtility) if token or not auth_util.get_basic_auth_credentials(request) or \ (self.use_keystone_tokens and not auth_util.get_keystone_auth_credentials(request)): raise Forbidden('User does not have permission to access this resource') raise Unauthorized()
def test_adapt(self): auth = getUtility(IAuthentication, context=None) auth.registerPrincipal(User('user1')) interaction = self._get_interaction('user1') # get the object being secured compute = self.make_compute() compute_proxy = proxy_factory(compute, interaction) eq_(IContainer(compute), IContainer(compute_proxy))
def test_schema(self): auth = getUtility(IAuthentication, context=None) auth.registerPrincipal(User('userSchema')) prinperG.grantPermissionToPrincipal('read', 'userSchema') prinperG.grantPermissionToPrincipal('modify', 'userSchema') interaction = self._get_interaction('userSchema') # get the object being secured compute = self.make_compute() compute_proxy = proxy_factory(compute, interaction) eq_(model_to_dict(compute), model_to_dict(compute_proxy))
def check_rights(self, obj, args): interaction = self.protocol.interaction obj = proxy_factory(obj, interaction) allowed = [] denied = [] for r in args.r: for i in r.split(','): i = i.strip() if i.startswith('@'): i = i[1:] (allowed if interaction.checkPermission(i, obj) else denied).append(i) self.write("+%s:-%s\n" % (','.join('@' + i for i in allowed), ','.join('@' + i for i in denied)))
def sudo(obj): """ System utility to elevate privileges to certain object accesses """ obj = getObject(obj) if type(obj) is Proxy else obj return checker.proxy_factory(obj, new_interaction('root'))