def main(): lines = [] lines.append(HEADER) lines.append('') for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace('_', ' ').title() # pylint: disable=no-member lines.append('%s' % (resource_title)) lines.append('~' * len(resource_title)) lines.append('') permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description(permission_type) rows.append([permission_type, description]) table = as_rest_table(rows, full=True) lines.extend(table.split('\n')) lines.append('') result = '\n'.join(lines) with open(DESTINATION_PATH, 'w') as fp: fp.write(result) print('Generated: %s' % (DESTINATION_PATH)) return result
def main(): lines = [] lines.append(HEADER) lines.append("") for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace("_", " ").title() # pylint: disable=no-member lines.append("%s" % (resource_title)) lines.append("~" * len(resource_title)) lines.append("") permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description(permission_type) rows.append(["**%s**" % (permission_type), description]) table = as_rest_table(rows, full=True) lines.extend(table.split("\n")) lines.append("") result = "\n".join(lines) with open(DESTINATION_PATH, "w") as fp: fp.write(result) print("Generated: %s" % (DESTINATION_PATH)) return result
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type): log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': resource_uid, 'resource_type': self.resource_type, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions self._log('Checking grants via system role permissions', extra=log_context) has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='view') all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='all') if permission_type == view_permission_type: # Note: Some permissions such as "create", "modify", "delete" and "execute" also # grant / imply "view" permission permission_types = self.view_grant_permission_types[:] + [permission_type] elif permission_type not in all_permission_type: permission_types = [all_permission_type, permission_type] else: permission_types = [permission_type] # Check direct grants on the specified resource self._log('Checking direct grans on the specified resource', extra=log_context) resource_types = [self.resource_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=resource_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack self._log('Checking grants on the parent resource', extra=log_context) resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def main(): lines = [] lines.append(HEADER) lines.append('') for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace('_', ' ').title() # pylint: disable=no-member lines.append('%s' % (resource_title)) lines.append('~' * len(resource_title)) lines.append('') permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description( permission_type) rows.append(['**%s**' % (permission_type), description]) table = as_rest_table(rows, full=True) lines.extend(table.split('\n')) lines.append('') result = '\n'.join(lines) with open(DESTINATION_PATH, 'w') as fp: fp.write(result) print('Generated: %s' % (DESTINATION_PATH)) return result
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all')
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type): log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': resource_uid, 'resource_type': self.resource_type, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='view') all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='all') if permission_type == view_permission_type: # Note: Some permissions such as "create", "modify", "delete" and "execute" also # grant / imply "view" permission permission_types = self.view_grant_permission_types[:] + [permission_type] elif permission_type not in all_permission_type: permission_types = [all_permission_type, permission_type] else: permission_types = [permission_type] # Check direct grants on the specified resource resource_types = [self.resource_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=resource_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def test_get_resource_type(self): self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE), ResourceType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE), ResourceType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL), ResourceType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL), ResourceType.PACK)
def test_get_permission_type(self): self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='view'), PermissionType.ACTION_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='all'), PermissionType.ACTION_ALL) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='execute'), PermissionType.ACTION_EXECUTE) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='view'), PermissionType.RULE_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='delete'), PermissionType.RULE_DELETE) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='view'), PermissionType.SENSOR_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='all'), PermissionType.SENSOR_ALL) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='modify'), PermissionType.SENSOR_MODIFY) self.assertEqual( PermissionType.get_permission_type(resource_type=ResourceType.RULE_ENFORCEMENT, permission_name='view'), PermissionType.RULE_ENFORCEMENT_VIEW)
def test_get_valid_permission_for_resource_type(self): valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.ACTION ) for name in valid_action_permissions: self.assertTrue(name.startswith(ResourceType.ACTION + "_")) valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(resource_type=ResourceType.RULE) for name in valid_rule_permissions: self.assertTrue(name.startswith(ResourceType.RULE + "_"))
def test_get_valid_permission_for_resource_type(self): valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.ACTION) for name in valid_action_permissions: self.assertTrue(name.startswith(ResourceType.ACTION + '_')) valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.RULE) for name in valid_rule_permissions: self.assertTrue(name.startswith(ResourceType.RULE + '_'))
def test_get_permission_type(self): self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='view'), PermissionType.ACTION_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='all'), PermissionType.ACTION_ALL) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION, permission_name='execute'), PermissionType.ACTION_EXECUTE) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='view'), PermissionType.RULE_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='delete'), PermissionType.RULE_DELETE) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='view'), PermissionType.SENSOR_VIEW) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='all'), PermissionType.SENSOR_ALL) self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR, permission_name='modify'), PermissionType.SENSOR_MODIFY)
def test_get_permission_name(self): self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_LIST), "list") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all") self.assertEqual( PermissionType.get_permission_name(PermissionType.PACK_ALL), "all") self.assertEqual( PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), "modify") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), "execute") self.assertEqual( PermissionType.get_permission_name( PermissionType.RULE_ENFORCEMENT_LIST), "list", )
def test_user_has_resource_db_permission(self): resolver = WebhookPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.WEBHOOK) # Admin user, should always return true resource_db = self.resources['webhook_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "webhook_send" grant on webhook_1 user_db = self.users['custom_role_webhook_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.WEBHOOK_SEND) permission_types = [ PermissionType.WEBHOOK_CREATE, PermissionType.WEBHOOK_DELETE, PermissionType.WEBHOOK_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user(user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' return self._user_has_global_permission(user_db=user_db, permission_type=permission_type)
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user( user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def validate(self): # Parent JSON schema validation super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ( 'Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message)
def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ('Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ('Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message) return cleaned
def _get_all_permission_type_for_resource(self, resource_db): """ Retrieve "ALL" permission type for the provided resource. """ resource_type = resource_db.get_resource_type() permission_type = PermissionType.get_permission_type(resource_type=resource_type, permission_name='all') return permission_type
def _get_all_permission_type_for_resource(self, resource_db): """ Retrieve "ALL" permission type for the provided resource. """ resource_type = resource_db.get_resource_type() permission_type = PermissionType.get_permission_type( resource_type=resource_type, permission_name='all') return permission_type
def get_resolver_for_permission_type(permission_type): """ Return resolver instance for the provided permission type. :rtype: Instance of :class:`PermissionsResolver` """ resource_type = PermissionType.get_resource_type(permission_type=permission_type) resolver_instance = get_resolver_for_resource_type(resource_type=resource_type) return resolver_instance
def test_get_permission_type(self): self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.ACTION, permission_name="view"), PermissionType.ACTION_VIEW, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.ACTION, permission_name="all"), PermissionType.ACTION_ALL, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.ACTION, permission_name="execute"), PermissionType.ACTION_EXECUTE, ) self.assertEqual( PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name="view"), PermissionType.RULE_VIEW, ) self.assertEqual( PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name="delete"), PermissionType.RULE_DELETE, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.SENSOR, permission_name="view"), PermissionType.SENSOR_VIEW, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.SENSOR, permission_name="all"), PermissionType.SENSOR_ALL, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.SENSOR, permission_name="modify"), PermissionType.SENSOR_MODIFY, ) self.assertEqual( PermissionType.get_permission_type( resource_type=ResourceType.RULE_ENFORCEMENT, permission_name="view"), PermissionType.RULE_ENFORCEMENT_VIEW, )
def test_user_has_resource_db_permission(self): resolver = RunnerPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RUNNER) # Admin user, should always return true resource_db = self.resources['runner_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "runner_view" grant on runner_1 resource_db = self.resources['runner_1'] user_db = self.users['custom_role_runner_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RUNNER_VIEW) permission_types = [ PermissionType.RUNNER_MODIFY, PermissionType.RUNNER_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role with "runner_modify" grant on runner_2 resource_db = self.resources['runner_2'] user_db = self.users['custom_role_runner_modify_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RUNNER_MODIFY) permission_types = [ PermissionType.RUNNER_VIEW, PermissionType.RUNNER_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def _validate_permission_types(resource_db, permission_types): """ Validate that the permission_types list only contains valid values for the provided resource. """ resource_db = _validate_resource_type(resource_db=resource_db) resource_type = resource_db.get_resource_type() valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: raise ValueError('Invalid permission type: %s' % (permission_type)) return permission_types
def _validate_permission_types(resource_db, permission_types): """ Validate that the permission_types list only contains valid values for the provided resource. """ resource_db = _validate_resource_type(resource_db=resource_db) resource_type = resource_db.get_resource_type() valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: raise ValueError("Invalid permission type: %s" % (permission_type)) return permission_types
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST), 'list') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), 'modify') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), 'execute') self.assertEqual(PermissionType.get_permission_name(PermissionType.RULE_ENFORCEMENT_LIST), 'list')
def setUpClass(cls): super(KeyValuePermissionsResolverTestCase, cls).setUpClass() cls.all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.KEY_VALUE_PAIR) cls.read_permission_types = [ PermissionType.KEY_VALUE_PAIR_LIST, PermissionType.KEY_VALUE_PAIR_VIEW, ] cls.write_permission_types = [ PermissionType.KEY_VALUE_PAIR_SET, PermissionType.KEY_VALUE_PAIR_DELETE, ]
def test_user_has_resource_db_permissions(self): # Note: Right now we don't support granting permissions on key value items so we just check # that the method always returns True resolver = KeyValuePermissionsResolver() # No roles user_db = self.users['no_roles'] resource_db = self.resources['kvp_1'] permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.KEY_VALUE_PAIR) for permission_type in permission_types: self.assertTrue(resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=permission_type))
def add_lines_for_permission_set(resource_title, permission_types, lines): lines.append(resource_title) lines.append("~" * len(resource_title)) lines.append("") rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description( permission_type) rows.append([f"**{permission_type}**", description]) table = as_rest_table(rows, full=True) lines.extend(table.split("\n")) lines.append("")
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST), 'list') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), 'modify') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), 'execute')
def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, "permission_grants", []) for permission_grant in permission_grants: resource_uid = permission_grant.get("resource_uid", None) permission_types = permission_grant.get("permission_types", []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = ( PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type)) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % ( permission_type, resource_type, )) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if permission_type not in GLOBAL_PERMISSION_TYPES: valid_global_permission_types = ", ".join( GLOBAL_PERMISSION_TYPES) message = ( 'Invalid permission type "%s". Valid global permission types ' "which can be used without a resource id are: %s" % (permission_type, valid_global_permission_types)) raise ValueError(message) return cleaned
def main(): lines = [] lines.append(HEADER) lines.append("") add_lines_for_permission_set("Global", GLOBAL_PERMISSION_TYPES, lines) for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace("_", " ").title() # pylint: disable=no-member permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) add_lines_for_permission_set(resource_title, permission_types, lines) result = "\n".join(lines) with open(DESTINATION_PATH, "w") as fp: fp.write(result) print("Generated: %s" % (DESTINATION_PATH)) return result
def validate(self): # Parent JSON schema validation super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ('Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message)
def _user_has_system_role_permission(self, user_db, permission_type): """ Check the user system roles and return True if user has the required permission. :rtype: ``bool`` """ permission_name = PermissionType.get_permission_name(permission_type) user_role_dbs = get_roles_for_user(user_db=user_db) user_role_names = [role_db.name for role_db in user_role_dbs] if SystemRole.SYSTEM_ADMIN in user_role_names: # System admin has all the permissions return True elif SystemRole.ADMIN in user_role_names: # Admin has all the permissions return True elif SystemRole.OBSERVER in user_role_names and permission_name in READ_PERMISSION_NAMES: # Observer role has "view" permission on all the resources return True return False
def _user_has_system_role_permission(self, user_db, permission_type): """ Check the user system roles and return True if user has the required permission. :rtype: ``bool`` """ permission_name = PermissionType.get_permission_name(permission_type) user_role_dbs = get_roles_for_user(user_db=user_db) user_role_names = [role_db.name for role_db in user_role_dbs] if SystemRole.SYSTEM_ADMIN in user_role_names: # System admin has all the permissions return True elif SystemRole.ADMIN in user_role_names: # Admin has all the permissions return True elif SystemRole.OBSERVER in user_role_names and permission_name == 'view': # Observer role has "view" permission on all the resources return True return False
class RoleDefinitionFileFormatAPI(BaseAPI): """ JSON schema for the role definition file format. """ schema = { 'type': 'object', 'properties': { 'name': { 'type': 'string', 'description': 'Role name', 'required': True, 'default': None }, 'description': { 'type': 'string', 'description': 'Role description', 'required': False }, 'enabled': { 'type': 'boolean', 'description': ('Flag indicating if this role is enabled. Note: Disabled roles ' 'are simply ignored when loading definitions from disk.'), 'default': True }, 'permission_grants': { 'type': 'array', 'items': { 'type': 'object', 'properties': { 'resource_uid': { 'type': 'string', 'description': 'UID of a resource to which this grant applies to.', 'required': False, 'default': None }, 'permission_types': { 'type': 'array', 'description': 'A list of permission types to grant', 'uniqueItems': True, 'items': { 'type': 'string', # Note: We permission aditional validation for based on the # resource type in other place 'enum': PermissionType.get_valid_values() }, 'default': [] } } } } }, 'additionalProperties': False } def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ( 'Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message) return cleaned
def test_user_has_resource_db_permission(self): resolver = ActionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.ACTION) # Admin user, should always return true resource_db = self.resources['action_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_MODIFY) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_DELETE) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role with with grant on the parent pack user_db = self.users['custom_role_action_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role with a direct grant on action user_db = self.users['custom_role_action_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_3'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_EXECUTE) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_3'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role - "action_all" grant on the action parent pack user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_all" grant on the action user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_execute" grant on action_1 user_db = self.users['custom_role_action_execute_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.ACTION_EXECUTE) # "execute" also grants "view" self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.ACTION_VIEW) permission_types = [ PermissionType.ACTION_CREATE, PermissionType.ACTION_MODIFY, PermissionType.ACTION_DELETE ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def test_get_resource_type(self): self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_LIST), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_VIEW), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_CREATE), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_MODIFY), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_DELETE), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL), SystemType.PACK) self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_LIST), SystemType.SENSOR_TYPE) self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_VIEW), SystemType.SENSOR_TYPE) self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_MODIFY), SystemType.SENSOR_TYPE) self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_ALL), SystemType.SENSOR_TYPE) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_LIST), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_VIEW), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_MODIFY), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_EXECUTE), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL), SystemType.ACTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_LIST), SystemType.EXECUTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_VIEW), SystemType.EXECUTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_RE_RUN), SystemType.EXECUTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_STOP), SystemType.EXECUTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_ALL), SystemType.EXECUTION) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_LIST), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_VIEW), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_CREATE), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_MODIFY), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_DELETE), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ALL), SystemType.RULE) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_LIST), SystemType.RULE_ENFORCEMENT) self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_VIEW), SystemType.RULE_ENFORCEMENT) self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_VIEW), SystemType.KEY_VALUE_PAIR) self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_SET), SystemType.KEY_VALUE_PAIR) self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_DELETE), SystemType.KEY_VALUE_PAIR) self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_CREATE), SystemType.WEBHOOK) self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_SEND), SystemType.WEBHOOK) self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_DELETE), SystemType.WEBHOOK) self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_ALL), SystemType.WEBHOOK) self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_LIST), SystemType.API_KEY) self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_VIEW), SystemType.API_KEY) self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_CREATE), SystemType.API_KEY) self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_DELETE), SystemType.API_KEY) self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_ALL), SystemType.API_KEY)
def test_user_has_resource_db_permission(self): resolver = RuleEnforcementPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type(ResourceType.RULE_ENFORCEMENT) # Admin user, should always return true resource_db = self.resources["rule_enforcement_1"] user_db = self.users["admin"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Observer, should always return true for VIEW permission user_db = self.users["observer"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # No roles, should return false for everything user_db = self.users["no_roles"] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role with no permission grants, should return false for everything user_db = self.users["1_custom_role_no_permissions"] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role with unrelated permission grant to parent pack user_db = self.users["custom_role_pack_grant"] self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role with with grant on the parent pack user_db = self.users["custom_role_rule_pack_grant"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role with a direct grant on rule user_db = self.users["custom_role_rule_grant"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_3"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users["custom_role_pack_rule_all_grant"] resource_db = self.resources["rule_enforcement_1"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role - "rule_all" grant on the rule user_db = self.users["custom_role_rule_all_grant"] resource_db = self.resources["rule_enforcement_1"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role - "rule_modify" grant on rule_1 user_db = self.users["custom_role_rule_modify_grant"] resource_db = self.resources["rule_enforcement_1"] # "modify" also grants "view" self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW ) )
def test_user_has_resource_permissions(self): resolver = ExecutionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.EXECUTION) # Admin user, should always return true resource_db = self.resources['exec_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_STOP)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_ALL)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with an action_view grant on unrelated pack, should return false for # everything user_db = self.users['custom_role_unrelated_pack_action_grant'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack, should return false for # everything user_db = self.users['custom_role_pack_action_grant_unrelated_permission'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with "action_view" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_view_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW )) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN )) # Custom role with "action_view" grant on the action the resource belongs to user_db = self.users['custom_role_action_view_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW )) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN )) # Custom role with "action_execute" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_execute_grant'] permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) # Custom role with "action_execute" grant on the action resource belongs to user_db = self.users['custom_role_action_execute_grant'] permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) # Custom role - "action_all" grant on the action parent pack the execution belongs to user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['exec_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "action_all" grant on the action the execution belongs to user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['exec_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types))
def test_user_has_resource_db_permission(self): resolver = SensorPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.SENSOR) # Admin user, should always return true resource_db = self.resources['sensor_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_ALL) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) # Custom role with with grant on the parent pack user_db = self.users['custom_role_sensor_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) # Custom role with a direct grant on sensor user_db = self.users['custom_role_sensor_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_ALL) # Custom role - "sensor_all" grant on the sensor parent pack user_db = self.users['custom_role_pack_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "sensor_all" grant on the sensor user_db = self.users['custom_role_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error( 'Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.' ) return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type( resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = ( RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error('Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.') return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = (RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def test_user_has_resource_db_permission(self): resolver = InquiryPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.INQUIRY) all_permission_types.remove(PermissionType.INQUIRY_LIST) # Admin user, should always return true user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_RESPOND) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_ALL) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # View user should be able to view user_db = self.users['custom_role_inquiry_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_VIEW) # Respond user should be able to respond user_db = self.users['custom_role_inquiry_respond_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_RESPOND) # ALL user should have all db perms user_db = self.users['custom_role_inquiry_all_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_ALL) # Now to test inheritance from action_execution for parent workflow. # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving # that the effective permission is inherited. user_db = self.users['custom_role_inquiry_inherit'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_2'], permission_type=PermissionType.INQUIRY_RESPOND)
def test_user_has_resource_db_permission(self): resolver = RuleEnforcementPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE_ENFORCEMENT) # Admin user, should always return true resource_db = self.resources['rule_enforcement_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_3'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_enforcement_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "rule_all" grant on the rule user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_enforcement_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_enforcement_1'] # "modify" also grants "view" self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
def test_user_has_resource_permissions(self): resolver = SensorPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.SENSOR) # Admin user, should always return true resource_db = self.resources['sensor_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_ALL)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_sensor_pack_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) # Custom role with a direct grant on sensor user_db = self.users['custom_role_sensor_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_ALL)) # Custom role - "sensor_all" grant on the sensor parent pack user_db = self.users['custom_role_pack_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "sensor_all" grant on the sensor user_db = self.users['custom_role_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types))
def test_user_has_resource_permissions(self): resolver = RulePermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE) # Admin user, should always return true resource_db = self.resources['rule_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_DELETE)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_DELETE)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_MODIFY)) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_ALL)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role - "rule_all" grant on the action parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "action_all" grant on the action user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_1'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_MODIFY)) # "modify" also grants "view" self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_VIEW)) permission_types = [ PermissionType.RULE_CREATE, PermissionType.RULE_DELETE ] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types))
def test_user_has_resource_db_permissions(self): resolver = RulePermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE) # Admin user, should always return true resource_db = self.resources['rule_1'] user_db = self.users['admin'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_DELETE)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_DELETE)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_MODIFY)) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_ALL)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_all" grant on the rule user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_1'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_MODIFY)) # "modify" also grants "view" self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_VIEW)) permission_types = [ PermissionType.RULE_CREATE, PermissionType.RULE_DELETE ] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types))
def test_user_has_resource_db_permission(self): resolver = ExecutionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.EXECUTION) all_permission_types.remove(PermissionType.EXECUTION_LIST) # Admin user, should always return true resource_db = self.resources['exec_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_STOP) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_ALL) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with an action_view grant on unrelated pack, should return false for # everything user_db = self.users['custom_role_unrelated_pack_action_grant'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack, should return false for # everything user_db = self.users[ 'custom_role_pack_action_grant_unrelated_permission'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "action_view" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN) # Custom role with "action_view" grant on the action the resource belongs to user_db = self.users['custom_role_action_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN) # Custom role with "action_execute" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_execute_grant'] permission_types = [ PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP ] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) permission_types = [ PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role with "action_execute" grant on the action resource belongs to user_db = self.users['custom_role_action_execute_grant'] permission_types = [ PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP ] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) permission_types = [ PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role - "action_all" grant on the action parent pack the execution belongs to user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['exec_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_all" grant on the action the execution belongs to user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['exec_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create") self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete") self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all") self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")