def post(token_info: dict, resource_type_name, resource_id): rt = ResourceType(resource_type_name) rt.create_id(resource_id) return make_response(jsonify({ 'msg': f"Created resource/{rt.name}/id/{resource_id}.", 'resource_type': rt.name, 'resource_id': resource_id}), 201)
def get_resource_authz_parameters(user: str, resources: Union[List[str], str]): """ Get all policy ids, and send them to lookup policy, group them by policy type. :param user: :param resource: :return: """ policies = [] _user = User(user) try: groups = _user.groups except cd_client.exceptions.ResourceNotFoundException: _user = User.provision_user(user) groups = _user.groups # Only support a single resource for now resource = resources[0] if isinstance(resources, list) else resources r_type, r_id, *_ = resource.split(':')[-1].split('/') if r_type in ResourceType.get_types(): r_id = ResourceId(r_type, r_id) resource_policies = r_id.check_access( [_user] + [Group(object_ref=g) for g in groups]) if not resource_policies: raise ResourceNotFound("ResourceNotFound") policies.extend(resource_policies) policies.extend(list(_user.get_policy_ids())) authz_params = Config.get_directory().get_policies(policies) if authz_params.get('ResourcePolicy'): authz_params['ResourcePolicy'] = combine( [i['policy_document'] for i in authz_params.get('ResourcePolicy')]) return authz_params
def get(token_info: dict, resource_type_name): next_token, per_page = get_next_token(request.args) rt = ResourceType(resource_type_name) return get_page(rt.list_policies, next_token, per_page, content_key='policies')
def clear_cd(directory: 'CloudDirectory', users: List[str] = None, groups: List[str] = None, roles: List[str] = None, resources: List[str] = None) -> None: """ :param directory: the directory to clear :param users: a list of users to keep :param groups: a list of groups to keep :param roles: a list of roles to keep :param resources: a list of resource types to keep :return: """ users = users if users else [] groups = groups if groups else [] roles = roles if roles else [] resources = resources if resources else [] protected_users = [User.hash_name(name) for name in ['public'] + users] protected_groups = [Group.hash_name(name) for name in ['user_default'] + groups] protected_roles = [Role.hash_name(name) for name in ["fusillade_admin", "default_user"] + roles] protected_resources = [ResourceType.hash_name(name) for name in resources] for name, obj_ref in directory.list_object_children('/user/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name): if name not in protected_users: directory.delete_object(obj_ref) for name, obj_ref in directory.list_object_children('/group/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name): if name not in protected_groups: directory.delete_object(obj_ref) for name, obj_ref in directory.list_object_children('/role/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name): if name not in protected_roles: directory.delete_object(obj_ref) for name, obj_ref in directory.list_object_children('/resource/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name): if name not in protected_resources: directory.delete_object(obj_ref, delete_children=True)
def test_create_resource_type(self): actions = ['readproject', 'writeproject', 'deleteproject'] resource_type = 'test_type' # a resource type is created self._create_resource_type(resource_type, actions) test_type = ResourceType(resource_type) # cannot do twice with self.assertRaises(FusilladeHTTPException): ResourceType.create(resource_type, actions) # actions are set self.assertTrue(set(test_type.actions) == set(actions)) # owner policy exists self.assertIn(f'/resource/{resource_type}/policy/Owner', test_type.list_policies()[0]['policies']) # create an additional resource type resource_type2 = 'test_type2' self._create_resource_type(resource_type2, actions) test_type2 = ResourceType(resource_type2) # list resources resource_types = ResourceType.get_types() self.assertEqual([resource_type, resource_type2], resource_types)
def test_eval(self): actions = ['test:readproject', 'test:writeproject', 'test:deleteproject'] resource_type = 'test_type' test_type = ResourceType.create(resource_type, actions) access_level = 'Reader' resource_policy = { "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Sid": "project_reader", "Effect": "Allow", "Action": ['test:readproject'], "Resource": f"{self.arn_prefix}{resource_type}/*" } ] } test_type.create_policy(access_level, resource_policy, 'ResourcePolicy') user = User.provision_user('test_user') type_id = '1234455' resource = f'{self.arn_prefix}{resource_type}/{type_id}' with self.subTest("A user does not have access when they only have permitting resource_policy and no " "permitting IAMPolicy"): test_id = test_type.create_id(type_id) test_id.add_principals([user], access_level) x = get_resource_authz_parameters(user.name, resource) resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy']) self.assertFalse(resp['result']) with self.subTest("A user has a access when they have a permitting resource policy and IAMPolicy"): IAMpolicy = { "Statement": [ { "Sid": "project_reader", "Effect": "Allow", "Action": [ "test:readproject" ], "Resource": f"{self.arn_prefix}{resource_type}/*" } ] } role = Role.create('project_reader', IAMpolicy) user.add_roles([role.name]) x = get_resource_authz_parameters(user.name, resource) resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy']) self.assertTrue(resp['result'])
def test_get_authz_params(self): actions = ['test:readproject', 'test:writeproject', 'test:deleteproject'] resource_type = 'test_type' test_type = ResourceType.create(resource_type, actions) access_level = 'Reader' resource_policy = { "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Sid": "project_reader", "Effect": "Allow", "Action": ['test:readproject'], "Resource": f"{self.arn_prefix}{resource_type}/*" } ] } test_type.create_policy(access_level, resource_policy, 'ResourcePolicy') user = User.provision_user('test_user') type_id = '1234455' resource = f'{self.arn_prefix}{resource_type}/{type_id}' with self.subTest("A user has no access when no access level set between user and resource"): with self.assertRaises(ResourceNotFound): get_resource_authz_parameters(user.name, resource) with self.subTest("No resource policy parameters are returned when the user tries to access a resource that " "does not use resource policies"): params = get_resource_authz_parameters(user.name, f"{self.arn_prefix}non_acl_resource/1234") self.assertFalse(params.get('ResourcePolicy')) self.assertFalse(params.get('resources')) with self.subTest("The resource policy for the access level assigned to the user is returned when a user " "is given access to a resource"): test_id = test_type.create_id(type_id) test_id.add_principals([user], access_level) params = get_resource_authz_parameters(user.name, resource) self.assertTrue(json_equal(params['ResourcePolicy'], resource_policy)) self.assertEqual(['Reader'], params['resources']) with self.subTest("No access when the user is disabled."): user.disable() with self.assertRaises(AuthorizationException): get_resource_authz_parameters(user.name, resource)
def _create_resource_type(self, name='test_type', actions=None): actions = actions or ['readproject', 'writeproject', 'deleteproject'] return ResourceType.create(name, actions)
def delete(token_info: dict, resource_type_name, policy_name): rt = ResourceType(resource_type_name) rt.delete_policy(policy_name) return make_response( f"Deleted resource/{resource_type_name}/policy/{policy_name}.", 200)
def put(token_info: dict, resource_type_name, policy_name): json_body = request.json rt = ResourceType(resource_type_name) rt.update_policy(policy_name, json_body['policy'], 'ResourcePolicy') return make_response( f"Modified resource/{resource_type_name}/policy/{policy_name}.", 200)
def get(token_info: dict, resource_type_name, policy_name): rt = ResourceType(resource_type_name) rt._exists([rt.name]) policy = rt.get_policy(policy_name) return make_response(jsonify(policy), 200)
def get(token_info: dict, resource_type_name): rt = ResourceType(resource_type_name) actions = rt.actions return make_response(jsonify({'actions': actions}), 200)
def delete(token_info: dict, resource_type_name): json_body = request.json rt = ResourceType(resource_type_name) rt.remove_actions(json_body['actions']) return make_response(f"Actions removed from resource type {rt.name}.", 200)
def put(token_info: dict, resource_type_name): json_body = request.json rt = ResourceType(resource_type_name) rt.add_actions(json_body['actions']) return make_response(f"Actions added to resource type {rt.name}.", 200)
def get(token_info: dict, resource_type_name): next_token, per_page = get_next_token(request.args) return get_page(ResourceType(resource_type_name).list_ids, next_token, per_page, content_key='resource_ids')