def test_get_all_permission_grants_for_user(self): user_db = self.users['1_custom_role'] role_db = self.roles['custom_role_1'] permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db) self.assertItemsEqual(permission_grants, []) # Grant some permissions resource_db = self.resources['rule_1'] permission_types = [PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY] permission_grant = rbac_services.create_permission_grant_for_resource_db( role_db=role_db, resource_db=resource_db, permission_types=permission_types) # Retrieve all grants permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db) self.assertItemsEqual(permission_grants, [permission_grant]) # Retrieve all grants, filter on resource with no grants permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db, resource_types=[ResourceType.PACK]) self.assertItemsEqual(permission_grants, []) # Retrieve all grants, filter on resource with grants permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db, resource_types=[ResourceType.RULE]) self.assertItemsEqual(permission_grants, [permission_grant])
def test_get_all_permission_grants_for_user(self): user_db = self.users['1_custom_role'] role_db = self.roles['custom_role_1'] permission_grants = rbac_services.get_all_permission_grants_for_user( user_db=user_db) self.assertItemsEqual(permission_grants, []) # Grant some permissions resource_db = self.resources['rule_1'] permission_types = [ PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY ] permission_grant = rbac_services.create_permission_grant_for_resource_db( role_db=role_db, resource_db=resource_db, permission_types=permission_types) # Retrieve all grants permission_grants = rbac_services.get_all_permission_grants_for_user( user_db=user_db) self.assertItemsEqual(permission_grants, [permission_grant]) # Retrieve all grants, filter on resource with no grants permission_grants = rbac_services.get_all_permission_grants_for_user( user_db=user_db, resource_types=[ResourceType.PACK]) self.assertItemsEqual(permission_grants, []) # Retrieve all grants, filter on resource with grants permission_grants = rbac_services.get_all_permission_grants_for_user( user_db=user_db, resource_types=[ResourceType.RULE]) self.assertItemsEqual(permission_grants, [permission_grant])
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type): log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': resource_uid, 'resource_type': self.resource_type, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions self._log('Checking grants via system role permissions', extra=log_context) has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='view') all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='all') if permission_type == view_permission_type: # Note: Some permissions such as "create", "modify", "delete" and "execute" also # grant / imply "view" permission permission_types = self.view_grant_permission_types[:] + [permission_type] elif permission_type not in all_permission_type: permission_types = [all_permission_type, permission_type] else: permission_types = [permission_type] # Check direct grants on the specified resource self._log('Checking direct grans on the specified resource', extra=log_context) resource_types = [self.resource_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=resource_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack self._log('Checking grants on the parent resource', extra=log_context) resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_uid = resource_db.get_uid() pack_uid = resource_db.get_pack_uid() if permission_type == PermissionType.RULE_VIEW: # Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission permission_types = [ PermissionType.RULE_ALL, PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE, permission_type ] else: permission_types = [PermissionType.RULE_ALL, permission_type] # Check direct grants on the specified resource resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the rule', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the rule parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles action_uid = resource_db.get_uid() pack_uid = resource_db.get_pack_uid() if permission_type == PermissionType.ACTION_VIEW: # Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission permission_types = [ PermissionType.ACTION_ALL, PermissionType.ACTION_CREATE, PermissionType.ACTION_MODIFY, PermissionType.ACTION_DELETE, PermissionType.ACTION_EXECUTE, permission_type ] else: permission_types = [PermissionType.ACTION_ALL, permission_type] # Check direct grants on the specified resource resource_types = [ResourceType.ACTION] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=action_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type): log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': resource_uid, 'resource_type': self.resource_type, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='view') all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type, permission_name='all') if permission_type == view_permission_type: # Note: Some permissions such as "create", "modify", "delete" and "execute" also # grant / imply "view" permission permission_types = self.view_grant_permission_types[:] + [permission_type] elif permission_type not in all_permission_type: permission_types = [all_permission_type, permission_type] else: permission_types = [permission_type] # Check direct grants on the specified resource resource_types = [self.resource_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=resource_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_global_permission(self, user_db, permission_type): """ Custom method for checking if user has a particular global permission which doesn't apply to a specific resource but it's system-wide aka global permission. """ log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user(user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles webhook_uid = resource_db.get_uid() # Check direct grants on the webhook resource_types = [ResourceType.WEBHOOK] permission_types = [PermissionType.WEBHOOK_ALL, permission_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=webhook_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the webhook', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user( user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles resource_uid = resource_db.get_uid() resource_types = [ResourceType.PACK] permission_types = [permission_type] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=resource_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_global_permission(self, user_db, permission_type): """ Custom method for checking if user has a particular global permission which doesn't apply to a specific resource but it's system-wide aka global permission. """ log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user( user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user(user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles action_uid = resource_db.get_uid() pack_uid = resource_db.get_pack_uid() # Check direct grants on the specified resource resource_types = [ResourceType.ACTION] permission_types = [PermissionType.ACTION_ALL, permission_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=action_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_types = [PermissionType.ACTION_ALL, permission_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles action = resource_db['action'] # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=action['pack']) action_uid = action['uid'] action_pack_uid = pack_db.get_uid() # Note: "action_execute" also grants / implies "execution_re_run" and "execution_stop" if permission_type == PermissionType.EXECUTION_VIEW: action_permission_type = PermissionType.ACTION_VIEW elif permission_type in [ PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP ]: action_permission_type = PermissionType.ACTION_EXECUTE elif permission_type == PermissionType.EXECUTION_ALL: action_permission_type = PermissionType.ACTION_ALL else: raise ValueError('Invalid permission type: %s' % (permission_type)) # Check grants on the pack of the action to which execution belongs to resource_types = [ResourceType.PACK] permission_types = [PermissionType.ACTION_ALL, action_permission_type] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=action_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the execution action parent pack', extra=log_context) return True # Check grants on the action the execution belongs to resource_types = [ResourceType.ACTION] permission_types = [PermissionType.ACTION_ALL, action_permission_type] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=action_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the execution action', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_resource_permission(self, user_db, pack_uid, action_uid, permission_type): """ :param pack_uid: UID of a pack this resource belongs to. :type pack_uid: ``str`` :param action_uid: UID of an action to check the permissions for. :type action_uid: ``str`` """ log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': action_uid, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles if permission_type == PermissionType.ACTION_VIEW: # Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission permission_types = [ PermissionType.ACTION_ALL, PermissionType.ACTION_CREATE, PermissionType.ACTION_MODIFY, PermissionType.ACTION_DELETE, PermissionType.ACTION_EXECUTE, permission_type ] else: permission_types = [PermissionType.ACTION_ALL, permission_type] # Check direct grants on the specified resource resource_types = [ResourceType.ACTION] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=action_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the action', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the action parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error( 'Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.' ) return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type( resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = ( RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error('Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.') return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = (RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_resource_permission(self, user_db, pack_uid, rule_uid, permission_type): """ :param pack_uid: UID of a pack this resource belongs to. :type pack_uid: ``str`` :param rule_uid: UID of a rule to check the permissions for. :type rule_uid: ``str`` """ log_context = { 'user_db': user_db, 'pack_uid': pack_uid, 'resource_uid': rule_uid, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles if permission_type == PermissionType.RULE_VIEW: # Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission permission_types = [ PermissionType.RULE_ALL, PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE, permission_type ] else: permission_types = [PermissionType.RULE_ALL, permission_type] # Check direct grants on the specified resource resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant on the rule', extra=log_context) return True # Check grants on the parent pack resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the rule parent pack', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles action = resource_db['action'] # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=action['pack']) action_uid = action['uid'] action_pack_uid = pack_db.get_uid() # Note: "action_execute" also grants / implies "execution_re_run" and "execution_stop" if permission_type == PermissionType.EXECUTION_VIEW: action_permission_type = PermissionType.ACTION_VIEW elif permission_type in [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]: action_permission_type = PermissionType.ACTION_EXECUTE elif permission_type == PermissionType.EXECUTION_ALL: action_permission_type = PermissionType.ACTION_ALL else: raise ValueError('Invalid permission type: %s' % (permission_type)) # Check grants on the pack of the action to which execution belongs to resource_types = [ResourceType.PACK] permission_types = [PermissionType.ACTION_ALL, action_permission_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=action_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the execution action parent pack', extra=log_context) return True # Check grants on the action the execution belongs to resource_types = [ResourceType.ACTION] permission_types = [PermissionType.ACTION_ALL, action_permission_type] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=action_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the execution action', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False