def test_request_is_admin_and_request_has_role(self): mock_request_admin_user = mock.Mock() mock_request_regular_user = mock.Mock() mock_request_admin_user.context = {'auth': {'user': self.admin_user}} mock_request_regular_user.context = {'auth': {'user': self.regular_user}} # Auth disabled, should always return true cfg.CONF.set_override(name='enable', override=False, group='auth') # Regular user self.assertTrue(request_user_is_admin(request=mock_request_regular_user)) self.assertTrue(request_user_has_role(request=mock_request_regular_user, role=SystemRole.ADMIN)) # Admin user self.assertTrue(request_user_is_admin(request=mock_request_admin_user)) self.assertTrue(request_user_has_role(request=mock_request_admin_user, role=SystemRole.ADMIN)) # Auth enabled cfg.CONF.set_override(name='enable', override=True, group='auth') # Admin user self.assertTrue(request_user_is_admin(request=mock_request_admin_user)) self.assertTrue(request_user_has_role(request=mock_request_admin_user, role=SystemRole.ADMIN)) # Regular user self.assertFalse(request_user_is_admin(request=mock_request_regular_user)) self.assertFalse(request_user_has_role(request=mock_request_regular_user, role=SystemRole.ADMIN))
def get_one(self, name, scope=SYSTEM_SCOPE, user=None, decrypt=False): """ List key by name. Handle: GET /keys/key1 """ self._validate_scope(scope=scope) if user: # Providing a user implies a user scope scope = USER_SCOPE requester_user = get_requester() user = user or requester_user is_admin = request_user_is_admin(request=pecan.request) # User needs to be either admin or requesting item for itself self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin) # Validate that the authenticated user is admin if user query param is provided assert_request_user_is_admin_if_user_query_param_is_provider(request=pecan.request, user=user) key_ref = get_key_reference(scope=scope, name=name, user=user) from_model_kwargs = {'mask_secrets': not decrypt} kvp_api = self._get_one_by_scope_and_name( name=key_ref, scope=scope, from_model_kwargs=from_model_kwargs ) return kvp_api
def get_all(self, prefix=None, scope=FULL_SYSTEM_SCOPE, user=None, decrypt=False, **kwargs): """ List all keys. Handles requests: GET /keys/ """ if not scope: scope = FULL_SYSTEM_SCOPE if user: # Providing a user implies a user scope scope = FULL_USER_SCOPE scope = get_datastore_full_scope(scope) requester_user = get_requester() user = user or requester_user is_all_scope = (scope == ALL_SCOPE) is_admin = request_user_is_admin(request=pecan.request) if is_all_scope and not is_admin: msg = '"all" scope requires administrator access' raise AccessDeniedError(message=msg, user_db=requester_user) # User needs to be either admin or requesting items for themselves self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin) # Validate that the authenticated user is admin if user query param is provided assert_request_user_is_admin_if_user_query_param_is_provided( request=pecan.request, user=user) from_model_kwargs = {'mask_secrets': not decrypt} kwargs['prefix'] = prefix if scope and scope not in ALL_SCOPE: self._validate_scope(scope=scope) kwargs['scope'] = scope if scope == USER_SCOPE or scope == FULL_USER_SCOPE: # Make sure we only returned values scoped to current user if kwargs['prefix']: kwargs['prefix'] = get_key_reference(name=kwargs['prefix'], scope=scope, user=requester_user) else: kwargs['prefix'] = get_key_reference(name='', scope=scope, user=user) kvp_apis = super(KeyValuePairController, self)._get_all(from_model_kwargs=from_model_kwargs, **kwargs) return kvp_apis
def get_one(self, name, scope=FULL_SYSTEM_SCOPE, user=None, decrypt=False): """ List key by name. Handle: GET /keys/key1 """ if not scope: scope = FULL_SYSTEM_SCOPE if user: # Providing a user implies a user scope scope = FULL_USER_SCOPE scope = get_datastore_full_scope(scope) self._validate_scope(scope=scope) requester_user = get_requester() user = user or requester_user is_admin = request_user_is_admin(request=pecan.request) # User needs to be either admin or requesting item for itself self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin) # Validate that the authenticated user is admin if user query param is provided assert_request_user_is_admin_if_user_query_param_is_provided( request=pecan.request, user=user) key_ref = get_key_reference(scope=scope, name=name, user=user) from_model_kwargs = {'mask_secrets': not decrypt} kvp_api = self._get_one_by_scope_and_name( name=key_ref, scope=scope, from_model_kwargs=from_model_kwargs) return kvp_api
def get_all(self, prefix=None, scope=FULL_SYSTEM_SCOPE, user=None, decrypt=False, **kwargs): """ List all keys. Handles requests: GET /keys/ """ if not scope: scope = FULL_SYSTEM_SCOPE if user: # Providing a user implies a user scope scope = FULL_USER_SCOPE scope = get_datastore_full_scope(scope) requester_user = get_requester() user = user or requester_user is_all_scope = (scope == ALL_SCOPE) is_admin = request_user_is_admin(request=pecan.request) if is_all_scope and not is_admin: msg = '"all" scope requires administrator access' raise AccessDeniedError(message=msg, user_db=requester_user) # User needs to be either admin or requesting items for themselves self._validate_decrypt_query_parameter(decrypt=decrypt, scope=scope, is_admin=is_admin) # Validate that the authenticated user is admin if user query param is provided assert_request_user_is_admin_if_user_query_param_is_provider(request=pecan.request, user=user) from_model_kwargs = {'mask_secrets': not decrypt} kwargs['prefix'] = prefix if scope and scope not in ALL_SCOPE: self._validate_scope(scope=scope) kwargs['scope'] = scope if scope == USER_SCOPE or scope == FULL_USER_SCOPE: # Make sure we only returned values scoped to current user if kwargs['prefix']: kwargs['prefix'] = get_key_reference(name=kwargs['prefix'], scope=scope, user=requester_user) else: kwargs['prefix'] = get_key_reference(name='', scope=scope, user=user) kvp_apis = super(KeyValuePairController, self)._get_all(from_model_kwargs=from_model_kwargs, **kwargs) return kvp_apis
def _get_from_model_kwargs_for_request(self, request): """ Set mask_secrets=False if the user is an admin and provided ?show_secrets=True query param. """ from_model_kwargs = {"mask_secrets": cfg.CONF.api.mask_secrets} show_secrets = self._get_query_param_value( request=request, param_name=SHOW_SECRETS_QUERY_PARAM, param_type="bool", default_value=False ) if show_secrets and request_user_is_admin(request=request): from_model_kwargs["mask_secrets"] = False return from_model_kwargs
def _get_from_model_kwargs_for_request(self, request): """ Set mask_secrets=False if the user is an admin and provided ?show_secrets=True query param. """ from_model_kwargs = {'mask_secrets': cfg.CONF.api.mask_secrets} show_secrets = self._get_query_param_value(request=request, param_name=SHOW_SECRETS_QUERY_PARAM, param_type='bool', default_value=False) if show_secrets and request_user_is_admin(request=request): from_model_kwargs['mask_secrets'] = False return from_model_kwargs
def _get_mask_secrets(self, request): """ Return a value for mask_secrets which can be used in masking secret properties to be retruned by any API. The default value is as per the config however admin users have the ability to override by passing in a special query parameter ?show_secrets=True. :param request: Request object. :rtype: ``bool`` """ mask_secrets = cfg.CONF.api.mask_secrets show_secrets = self._get_query_param_value(request=request, param_name=SHOW_SECRETS_QUERY_PARAM, param_type='bool', default_value=False) if show_secrets and request_user_is_admin(request=request): mask_secrets = False return mask_secrets