def get(self, request): """ List all roles. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of roles :rtype: django.http.HttpResponse """ role_query_manager = factory.role_query_manager() user_query_manager = factory.user_query_manager() permissions_manager = factory.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id'])] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission link = {'_href': reverse('role_resource', kwargs={'role_id': role['id']})} role.update(link) return generate_json_response_with_pulp_encoder(roles)
def GET(self): role_query_manager = managers.role_query_manager() user_query_manager = managers.user_query_manager() permissions_manager = managers.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [ u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id']) ] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def test_syntactic_sugar_methods(self): """ Tests the syntactic sugar methods for retrieving specific managers. """ # Setup factory.initialize() # Test self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager)) self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager)) self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager)) self.assertTrue(isinstance(factory.password_manager(), PasswordManager)) self.assertTrue(isinstance(factory.permission_manager(), PermissionManager)) self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager)) self.assertTrue(isinstance(factory.role_manager(), RoleManager)) self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager)) self.assertTrue(isinstance(factory.user_manager(), UserManager)) self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager)) self.assertTrue(isinstance(factory.repo_manager(), RepoManager)) self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager)) self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager)) self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager)) self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager)) self.assertTrue(isinstance(factory.content_manager(), ContentManager)) self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager)) self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager)) self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager)) self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def get(self, request, role_id): """ Retrieve a specific role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the role :rtype: django.http.HttpResponse :raises: MissingResource if role ID does not exist """ role = factory.role_query_manager().find_by_id(role_id) if role is None: raise pulp_exceptions.MissingResource(role_id) role["users"] = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])] permissions_manager = factory.permission_manager() # isolate schema change resource_permission = {} for item in role["permissions"]: resource = item["resource"] operations = item.get("permission", []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role["permissions"] = resource_permission link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})} role.update(link) return generate_json_response_with_pulp_encoder(role)
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] permissions_manager = managers.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission role.update(serialization.link.current_link_obj()) return self.ok(role)
def get(self, request): """ List all roles. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of roles :rtype: django.http.HttpResponse """ role_query_manager = factory.role_query_manager() permissions_manager = factory.permission_manager() roles = role_query_manager.find_all() for role in roles: users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])] role["users"] = users resource_permission = {} # isolate schema change if role["permissions"]: for item in role["permissions"]: resource = item["resource"] operations = item.get("permission", []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role["permissions"] = resource_permission link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})} role.update(link) return generate_json_response_with_pulp_encoder(roles)
def GET(self): role_query_manager = managers.role_query_manager() user_query_manager = managers.user_query_manager() permissions_manager = managers.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id'])] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def get(self, request, role_id): """ Retrieve a specific role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the role :rtype: django.http.HttpResponse :raises: MissingResource if role ID does not exist """ role = factory.role_query_manager().find_by_id(role_id) if role is None: raise pulp_exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in factory.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = factory.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission link = {'_href': reverse('role_resource', kwargs={'role_id': role['id']})} role.update(link) return generate_json_response_with_pulp_encoder(role)
def remove_user_from_role(role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. :param role_id: role identifier :type role_id: str :param login: name of user :type login: str :raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) user = model.User.objects.get_or_404(login=login) if role_id == SUPER_USER_ROLE and user_controller.is_last_super_user(login): raise PulpDataException( _('%(role)s cannot be empty, and %(login)s is the last member') % {'role': SUPER_USER_ROLE, 'login': login}) if role_id not in user.roles: return user.roles.remove(role_id) user.save() for item in role['permissions']: other_roles = factory.role_query_manager().get_other_roles(role, user.roles) user_ops = _operations_not_granted_by_roles(item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], login, user_ops)
def setUp(self): super(PermissionManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def setUp(self): super(RoleManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager( ) self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role, safe=True)
def GET(self): role_query_manager = managers.role_query_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [operation_to_name(o) for o in operations] for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = managers.permission_manager() for resource, operations in role['permissions'].items(): role['permissions'][resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role.update(serialization.link.current_link_obj()) return self.ok(role)
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role, safe=True)
def remove_permissions_from_role(self, role_id, resource, operations): """ Remove permissions from a role. @type role_id: str @param role_id: role identifier @type resource: str @param resource: resource path to revoke permissions from @type operations: list of allowed operations being revoked @param operations: list or tuple @raise MissingResource: if the given role does not exist """ if role_id == self.super_user_role: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].get(resource, []) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: del role['permissions'][resource] Role.get_collection().save(role, safe=True)
def GET(self): role_query_manager = managers.role_query_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [ operation_to_name(o) for o in operations ] for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users = factory.user_query_manager().find_users_belonging_to_role( role_id) for item in role['permissions']: for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user['login'], user_ops) for user in users: user['roles'].remove(role_id) factory.user_manager().update_user(user['login'], Delta(user, 'roles')) Role.get_collection().remove({'id': role_id}, safe=True)
def remove_permissions_from_role(self, role_id, resource, operations): """ Remove permissions from a role. @type role_id: str @param role_id: role identifier @type resource: str @param resource: resource path to revoke permissions from @type operations: list of allowed operations being revoked @param operations: list or tuple @raise MissingResource: if the given role does not exist """ if role_id == self.super_user_role: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id' : role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].get(resource, []) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: del role['permissions'][resource] Role.get_collection().save(role, safe=True)
def remove_user_from_role(self, role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. @type role_id: str @param role_id: role identifier @type login: str @param login: name of user @rtype: bool @return: True on success @raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login': login}) if user is None: raise MissingResource(login) if role_id == self.super_user_role and factory.user_query_manager( ).is_last_super_user(login): raise PulpDataException( _('%s cannot be empty, and %s is the last member') % (self.super_user_role, login)) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for resource, operations in role['permissions'].items(): other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, login, user_ops)
def GET(self, role_id): manager = managers.role_query_manager() role = manager.find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [ operation_to_name(o) for o in operations ] role.update(serialization.link.current_link_obj()) return self.ok(role)
def remove_user_from_role(role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. :param role_id: role identifier :type role_id: str :param login: name of user :type login: str :raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login': login}) if user is None: raise MissingResource(login) if role_id == SUPER_USER_ROLE and factory.user_query_manager( ).is_last_super_user(login): raise PulpDataException( _('%(role)s cannot be empty, and %(login)s is the last member') % { 'role': SUPER_USER_ROLE, 'login': login }) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for item in role['permissions']: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], login, user_ops)
def remove_user_from_role(self, role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. @type role_id: str @param role_id: role identifier @type login: str @param login: name of user @rtype: bool @return: True on success @raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id' : role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login' : login}) if user is None: raise MissingResource(login) if role_id == self.super_user_role and factory.user_query_manager().is_last_super_user(login): raise PulpDataException(_('%s cannot be empty, and %s is the last member') % (self.super_user_role, login)) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for resource, operations in role['permissions'].items(): other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, login, user_ops)
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = managers.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission role.update(serialization.link.current_link_obj()) return self.ok(role)
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users = factory.user_query_manager().find_users_belonging_to_role(role_id) for item in role['permissions']: for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user['login'], user_ops) for user in users: user['roles'].remove(role_id) factory.user_manager().update_user(user['login'], Delta(user, 'roles')) Role.get_collection().remove({'id': role_id}, safe=True)