def __init__(self, client_realm, server_realm, authz_remote): gssapiprotocol.GSSAPILineServer.__init__(self) self.client_realm = client_realm self.server_realm = server_realm self.authorizer = None if authz_remote: self.authorizer = authz.ClientAuthorizer(self.peer, authz_remote)
def test_authorize(self): """Test request authorization.""" ipasrv = ipa525.IPA525Server(client_realm=['c_realm.org'], server_realm='s_realm.org', authz_remote=None) # Successful self authorization. ipasrv._authorize('user1@c_realm.org', 'user1@s_realm.org') # Invalid client realm. self.assertRaises(authz.AuthorizationError, ipasrv._authorize, '*****@*****.**', 'user1@s_realm.org') # Different user, authorized is not specified. self.assertRaises(authz.AuthorizationError, ipasrv._authorize, 'user1@c_realm.org', 'user2@s_realm.org') ipasrv.authorizer = authz.ClientAuthorizer(lambda: 'userX@c_realm.org', '/var/run/auth.sock') # Successful self authorization. ipasrv._authorize('user1@c_realm.org', 'user1@s_realm.org') self.assertFalse(treadmill.restclient.post.called) # Impersonation request treadmill.restclient.post.return_value = mock.MagicMock() ipasrv._authorize('userX@c_realm.org', 'user2@s_realm.org') treadmill.restclient.post.assert_called_with( ['/var/run/auth.sock'], '/userX@c_realm.org/ipa525/user', payload={ 'payload': None, 'pk': 'user2' })
def invoke_grp(authz): """Directly invoke Treadmill API without REST.""" if authz is not None: ctx.authorizer = authz_mod.ClientAuthorizer( utils.get_current_username, authz) else: ctx.authorizer = authz_mod.NullAuthorizer() if cli.OUTPUT_FORMAT is None: raise click.BadParameter('must use --outfmt [json|yaml]')
def invoke(authz): """Directly invoke Treadmill API without REST.""" if authz is not None: ctx.authorizer = authz_mod.ClientAuthorizer( lambda: pwd.getpwuid(os.getuid()).pw_name, authz) else: ctx.authorizer = authz_mod.NullAuthorizer() if cli.OUTPUT_FORMAT == 'pretty': raise click.BadParameter('must use --outfmt [json|yaml]')
def get_authorizer(authz_arg=None): """Get authozrizer by argujents""" def user_clbk(): """Get current user from the request.""" return flask.g.get('user') if authz_arg is None: authorizer = authz.NullAuthorizer() else: authorizer = authz.ClientAuthorizer(user_clbk, authz_arg) return authorizer
def init(apis, title=None, cors_origin=None, authz_arg=None): """Module initialization.""" blueprint = flask.Blueprint('v1', __name__) api = restplus.Api(blueprint, version='1.0', title=title, description="Treadmill REST API Documentation") error_handlers.register(api) # load up any external error_handlers try: err_handlers_plugin = importlib.import_module( 'treadmill.plugins.rest.error_handlers') err_handlers_plugin.init(api) except ImportError as err: _LOGGER.warn('Unable to load error_handlers plugin: %s', err) @blueprint.route('/docs/', endpoint='docs') def _swagger_ui(): """Swagger documentation route""" return restplus.apidoc.ui_for(api) rest.FLASK_APP.register_blueprint(blueprint) rest.FLASK_APP.register_blueprint(restplus.apidoc.apidoc) cors = webutils.cors(origin=cors_origin, content_type='application/json', credentials=True) @rest.FLASK_APP.after_request def _after_request_cors_handler(response): """Process all OPTIONS request, thus don't need to add to each app""" if flask.request.method != 'OPTIONS': return response _LOGGER.debug('This is an OPTIONS call') def _noop_options(): """No noop response handler for all OPTIONS""" pass headers = flask.request.headers.get('Access-Control-Request-Headers') options_cors = webutils.cors(origin=cors_origin, credentials=True, headers=headers) response = options_cors(_noop_options)() return response def user_clbk(): """Get current user from the request.""" return flask.request.environ.get('REMOTE_USER') if authz_arg is None: authorizer = authz.NullAuthorizer() else: authorizer = authz.ClientAuthorizer(user_clbk, authz_arg) endpoints = [] for apiname in apis: try: apimod = apiname.replace('-', '_') _LOGGER.info('Loading api: %s', apimod) api_restmod = importlib.import_module('.'.join( ['treadmill', 'rest', 'api', apimod])) api_implmod = importlib.import_module('.'.join( ['treadmill', 'api', apimod])) api_impl = api_implmod.init(authorizer) endpoint = api_restmod.init(api, cors, api_impl) if endpoint is None: endpoint = apiname.replace('_', '-').replace('.', '/') if not endpoint.startswith('/'): endpoint = '/' + endpoint endpoints.append(endpoint) except ImportError as err: _LOGGER.warn('Unable to load %s api: %s', apimod, err) return endpoints