def _insert_common_mock_roles(self):
# Insert common mock roles
admin_role_db = rbac_service.get_role_by_name(name=SystemRole.ADMIN)
observer_role_db = rbac_service.get_role_by_name(
name=SystemRole.OBSERVER)
self.roles['admin_role'] = admin_role_db
self.roles['observer_role'] = observer_role_db
# Custom role 1 - no grants
role_1_db = rbac_service.create_role(name='custom_role_1')
self.roles['custom_role_1'] = role_1_db
# Custom role 2 - one grant on pack_1
# "pack_create" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.PACK_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_pack_grant'] = role_3_db
def sync(self, user_db, groups):
"""
:param user_db: User to sync the assignments for.
:type user: :class:`UserDB`
:param groups: A list of remote groups user is a member of.
:type groups: ``list`` of ``str``
:return: A list of mappings which have been created.
:rtype: ``list`` of :class:`UserRoleAssignmentDB`
"""
groups = list(set(groups))
extra = {'user_db': user_db, 'groups': groups}
LOG.info('Synchronizing remote role assignments for user "%s"' % (str(user_db)),
extra=extra)
# 1. Retrieve group to role mappings for the provided groups
all_mapping_dbs = GroupToRoleMapping.query(group__in=groups)
enabled_mapping_dbs = [mapping_db for mapping_db in all_mapping_dbs if
mapping_db.enabled]
disabled_mapping_dbs = [mapping_db for mapping_db in all_mapping_dbs if
not mapping_db.enabled]
if not all_mapping_dbs:
LOG.debug('No group to role mappings found for user "%s"' % (str(user_db)), extra=extra)
# 2. Remove all the existing remote role assignments
remote_assignment_dbs = UserRoleAssignment.query(user=user_db.name, is_remote=True)
existing_role_names = [assignment_db.role for assignment_db in remote_assignment_dbs]
existing_role_names = set(existing_role_names)
current_role_names = set([])
for mapping_db in all_mapping_dbs:
for role in mapping_db.roles:
current_role_names.add(role)
# A list of new role assignments which should be added to the database
new_role_names = current_role_names.difference(existing_role_names)
# A list of role assignments which need to be updated in the database
updated_role_names = existing_role_names.intersection(current_role_names)
# A list of role assignments which should be removed from the database
removed_role_names = (existing_role_names - new_role_names)
# Also remove any assignments for mappings which are disabled in the database
for mapping_db in disabled_mapping_dbs:
for role in mapping_db.roles:
removed_role_names.add(role)
LOG.debug('New role assignments: %r' % (new_role_names))
LOG.debug('Updated role assignments: %r' % (updated_role_names))
LOG.debug('Removed role assignments: %r' % (removed_role_names))
# Build a list of role assignments to delete
role_names_to_delete = updated_role_names.union(removed_role_names)
role_assignment_dbs_to_delete = [role_assignment_db for role_assignment_db
in remote_assignment_dbs
if role_assignment_db.role in role_names_to_delete]
UserRoleAssignment.query(user=user_db.name, role__in=role_names_to_delete,
is_remote=True).delete()
# 3. Create role assignments for all the current groups
created_assignments_dbs = []
for mapping_db in enabled_mapping_dbs:
extra['mapping_db'] = mapping_db
for role_name in mapping_db.roles:
role_db = rbac_service.get_role_by_name(name=role_name)
if not role_db:
# Gracefully skip assignment for role which doesn't exist in the db
LOG.info('Role with name "%s" for mapping "%s" not found, skipping assignment.'
% (role_name, str(mapping_db)), extra=extra)
continue
description = ('Automatic role assignment based on the remote user membership in '
'group "%s"' % (mapping_db.group))
assignment_db = rbac_service.assign_role_to_user(role_db=role_db, user_db=user_db,
description=description,
is_remote=True,
source=mapping_db.source,
ignore_already_exists_error=True)
assert assignment_db.is_remote is True
created_assignments_dbs.append(assignment_db)
LOG.debug('Created %s new remote role assignments for user "%s"' %
(len(created_assignments_dbs), str(user_db)), extra=extra)
return (created_assignments_dbs, role_assignment_dbs_to_delete)