def get(self, request): """ Retrieve permissions for all resources or for a particular resource. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of permissions for resource/s :rtype: django.http.HttpResponse """ query_params = request.GET resource = query_params.get('resource', None) permissions = [] if resource is None: permissions = factory.permission_query_manager().find_all() else: permission = factory.permission_query_manager().find_by_resource(resource) if permission is not None: permissions = [permission] for permission in permissions: # Isolate the database schema change to behind the api. This should be transparent users = {} for item in permission['users']: users[item['username']] = item['permissions'] permission['users'] = users permission_manager = factory.permission_manager() for user, ops in users.items(): users[user] = [permission_manager.operation_value_to_name(o) for o in ops] return generate_json_response_with_pulp_encoder(permissions)
def is_authorized(self, resource, login, operation): """ Check to see if a user is authorized to perform an operation on a resource @type resource: str @param resource: pulp resource path @type login: str @param login: login of user to check permissions for @type operation: int @param operation: operation to be performed on resource @rtype: bool @return: True if the user is authorized for the operation on the resource, False otherwise """ if self.is_superuser(login): return True permission_query_manager = factory.permission_query_manager() parts = [p for p in resource.split('/') if p] while parts: current_resource = '/%s/' % '/'.join(parts) permission = permission_query_manager.find_by_resource(current_resource) if permission is not None: if operation in permission['users'].get(login, []): return True parts = parts[:-1] permission = Permission.get_collection().find_one({'resource' : '/'}) return (permission is not None and operation in permission['users'].get(login, []))
def is_authorized(self, resource, login, operation): """ Check to see if a user is authorized to perform an operation on a resource @type resource: str @param resource: pulp resource path @type login: str @param login: login of user to check permissions for @type operation: int @param operation: operation to be performed on resource @rtype: bool @return: True if the user is authorized for the operation on the resource, False otherwise """ if self.is_superuser(login): return True permission_query_manager = factory.permission_query_manager() parts = [p for p in resource.split('/') if p] while parts: current_resource = '/%s/' % '/'.join(parts) permission = permission_query_manager.find_by_resource(current_resource) if permission is not None: if operation in permission_query_manager.find_user_permission(permission, login): return True parts = parts[:-1] permission = Permission.get_collection().find_one({'resource': '/'}) return (permission is not None and operation in permission_query_manager.find_user_permission(permission, login))
def test_syntactic_sugar_methods(self): """ Tests the syntactic sugar methods for retrieving specific managers. """ # Setup factory.initialize() # Test self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager)) self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager)) self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager)) self.assertTrue(isinstance(factory.password_manager(), PasswordManager)) self.assertTrue(isinstance(factory.permission_manager(), PermissionManager)) self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager)) self.assertTrue(isinstance(factory.role_manager(), RoleManager)) self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager)) self.assertTrue(isinstance(factory.user_manager(), UserManager)) self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager)) self.assertTrue(isinstance(factory.repo_manager(), RepoManager)) self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager)) self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager)) self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager)) self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager)) self.assertTrue(isinstance(factory.content_manager(), ContentManager)) self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager)) self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager)) self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager)) self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def is_authorized(resource, login, operation): """ Check to see if a user is authorized to perform an operation on a resource. :param resource: pulp resource url :type resource: str :param login: login of user to check permissions for :type login: str :param operation: operation to be performed on resource :type operation: int :return: True if the user is authorized for the operation on the resource, False otherwise :rtype: bool """ user = model.User.objects.get_or_404(login=login) if user.is_superuser(): return True permission_query_manager = manager_factory.permission_query_manager() # User is authorized if they have access to the resource or any of the its base resources. parts = [p for p in resource.split('/') if p] while parts: current_resource = '/%s/' % '/'.join(parts) permission = permission_query_manager.find_by_resource(current_resource) if permission is not None: if operation in permission_query_manager.find_user_permission(permission, login): return True parts = parts[:-1] permission = Permission.get_collection().find_one({'resource': '/'}) return (permission is not None and operation in permission_query_manager.find_user_permission(permission, login))
def GET(self): query_params = web.input() resource = query_params.get('resource', None) permissions = [] if resource is None: permissions = managers.permission_query_manager().find_all() else: permission = managers.permission_query_manager().find_by_resource(resource) if permission is not None: permissions = [permission] for permission in permissions: users = permission['users'] for user, ops in users.items(): users[user] = [operation_to_name(o) for o in ops] return self.ok(permissions)
def GET(self): query_params = web.input() resource = query_params.get('resource', None) permissions = [] if resource is None: permissions = managers.permission_query_manager().find_all() else: permission = managers.permission_query_manager().find_by_resource( resource) if permission is not None: permissions = [permission] for permission in permissions: users = permission['users'] for user, ops in users.items(): users[user] = [operation_to_name(o) for o in ops] return self.ok(permissions)
def setUp(self): super(RoleManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def setUp(self): super(PermissionManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager( ) self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def GET(self): query_params = web.input() resource = query_params.get('resource', None) permissions = [] if resource is None: permissions = managers.permission_query_manager().find_all() else: permission = managers.permission_query_manager().find_by_resource(resource) if permission is not None: permissions = [permission] for permission in permissions: # Isolate the database schema change to behind the api. This should be transparent users = {} for item in permission['users']: users[item['username']] = item['permissions'] permission['users'] = users permission_manager = managers.permission_manager() for user, ops in users.items(): users[user] = [permission_manager.operation_value_to_name(o) for o in ops] return self.ok(permissions)
def revoke(resource, login, operations): """ Revoke permission on a resource for a user and a set of operations. :param resource: uri path representing a pulp resource :type resource: str :param login: login of user to revoke permissions from :type login: str :param operations: list of allowed operations being revoked :type operations: list or tuple of integers :raises InvalidValue: if some params are invalid """ permission_query_manager = factory.permission_query_manager() # we don't revoke permissions from the system if login == system.SYSTEM_LOGIN: return user = User.get_collection().find_one({'login': login}) if user is None: raise InvalidValue(['login']) permission = Permission.get_collection().find_one( {'resource': resource}) if permission is None: return current_ops = permission_query_manager.find_user_permission( permission, user['login']) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) # delete the user from this permission if there are no more allowed operations if not current_ops: permission_query_manager.delete_user_permission( permission, user['login']) # delete the permission if there are no more users if not permission['users']: PermissionManager.delete_permission(resource) return Permission.get_collection().save(permission)
def revoke_all_permissions_from_user(self, login): """ Revoke all the permissions from a given user @type login: str @param login: login of the user to revoke all permissions from @rtype: bool @return: True on success """ for permission in factory.permission_query_manager().find_all(): if login not in permission['users']: continue del permission['users'][login] Permission.get_collection().save(permission, safe=True) return True
def revoke_all_permissions_from_user(self, login): """ Revoke all the permissions from a given user :param login: login of the user to revoke all permissions from :type login: str """ permission_query_manager = factory.permission_query_manager() for permission in permission_query_manager.find_all(): if permission_query_manager.get_user_permission(permission, login) is None: continue permission_query_manager.delete_user_permission(permission, login) if len(permission['users']) > 0: Permission.get_collection().save(permission, safe=True) else: # Delete entire permission if there are no more users Permission.get_collection().remove({'resource': permission['resource']}, safe=True)
def revoke(resource, login, operations): """ Revoke permission on a resource for a user and a set of operations. :param resource: uri path representing a pulp resource :type resource: str :param login: login of user to revoke permissions from :type login: str :param operations: list of allowed operations being revoked :type operations: list or tuple of integers :raises InvalidValue: if some params are invalid """ permission_query_manager = factory.permission_query_manager() # we don't revoke permissions from the system if login == system.SYSTEM_LOGIN: return user = User.get_collection().find_one({'login': login}) if user is None: raise InvalidValue(['login']) permission = Permission.get_collection().find_one({'resource': resource}) if permission is None: return current_ops = permission_query_manager.find_user_permission(permission, user['login']) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) # delete the user from this permission if there are no more allowed operations if not current_ops: permission_query_manager.delete_user_permission(permission, user['login']) # delete the permission if there are no more users if not permission['users']: PermissionManager.delete_permission(resource) return Permission.get_collection().save(permission, safe=True)
def revoke_all_permissions_from_user(self, login): """ Revoke all the permissions from a given user @type login: str @param login: login of the user to revoke all permissions from @rtype: bool @return: True on success """ for permission in factory.permission_query_manager().find_all(): if login not in permission['users']: continue del permission['users'][login] if permission['users']: Permission.get_collection().save(permission, safe=True) else: # Delete entire permission if there are no more users Permission.get_collection().remove({'resource':permission['resource']}, safe=True)
def revoke_all_permissions_from_user(self, login): """ Revoke all the permissions from a given user @type login: str @param login: login of the user to revoke all permissions from @rtype: bool @return: True on success """ for permission in factory.permission_query_manager().find_all(): if login not in permission['users']: continue del permission['users'][login] if permission['users']: Permission.get_collection().save(permission, safe=True) else: # Delete entire permission if there are no more users Permission.get_collection().remove( {'resource': permission['resource']}, safe=True)
def grant(resource, login, operations): """ Grant permission on a resource for a user and a set of operations. :param resource: uri path representing a pulp resource :type resource: str :param login: login of user to grant permissions to :type login: str :param operations:list of allowed operations being granted :type operations: list or tuple of integers :raises InvalidValue: if some params are invalid """ # we don't grant permissions to the system if login == system.SYSTEM_LOGIN: return user = User.get_collection().find_one({'login': login}) if user is None: raise InvalidValue(['login']) # Make sure resource is a valid string or unicode if not isinstance(resource, basestring): raise InvalidValue(resource) # Get or create permission if it doesn't already exist permission = Permission.get_collection().find_one({'resource': resource}) if permission is None: permission = PermissionManager.create_permission(resource) current_ops = factory.permission_query_manager().find_user_permission(permission, user['login'], create=True) for o in operations: if o in current_ops: continue current_ops.append(o) Permission.get_collection().save(permission, safe=True)
def is_authorized(resource, login, operation): """ Check to see if a user is authorized to perform an operation on a resource. :param resource: pulp resource url :type resource: str :param login: login of user to check permissions for :type login: str :param operation: operation to be performed on resource :type operation: int :return: True if the user is authorized for the operation on the resource, False otherwise :rtype: bool """ user = model.User.objects.get_or_404(login=login) if user.is_superuser(): return True permission_query_manager = manager_factory.permission_query_manager() # User is authorized if they have access to the resource or any of the its base resources. parts = [p for p in resource.split('/') if p] while parts: current_resource = '/%s/' % '/'.join(parts) permission = permission_query_manager.find_by_resource( current_resource) if permission is not None: if operation in permission_query_manager.find_user_permission( permission, login): return True parts = parts[:-1] permission = Permission.get_collection().find_one({'resource': '/'}) return (permission is not None and operation in permission_query_manager.find_user_permission( permission, login))