def post(self, action):
handler = getattr(self, "{}_handler".format(action), None)
if handler is None:
raise errors.ParamsInvalidError(
"petition action {} invalid".format(action))
else:
return handler(self.params.privilege_model,
self.params.privilege_name)
def post(self):
if self.user:
username = self.user.username
else:
username = self.params.username
if not username:
raise errors.ParamsInvalidError('username must be passed')
privilege = getattr(self.params.privilege_type,
self.params.privilege_name, None)
if not privilege:
raise errors.ParamsInvalidError(
"Invalid type of privilege: <%s %s>" %
(self.params.privilege_type.name, self.params.privilege_name))
authorize(privilege,
username,
node_id=self.params.node_id,
hostname=self.params.hostname)
return self.write_json({"msg": "authorize succeed"})
def _generic_handler(self, privilege_model, privilege_name, action,
from_statuses, to_status):
"""
:type privilege_model: loki.privilege.models.PrivilegeType
:type privilege_name: str
:type action: str
:type from_statuses: list[loki.privilege.models.PrivilegeStatus]
:type to_status: loki.privilege.models.PrivilegeStatus
"""
privileges = privilege_model.privileges
if privilege_name == "admin":
required_privilege = self.privilege_map[privileges.group]
"""
check grant_normal_privileges or grant_critical_privileges
when applying admin privilege
"""
authorize(required_privilege,
self.user.username,
node_id=self.params.node_id)
else:
required_privilege = getattr(privileges, "admin")
"""
check corresponding admin privilege
when applying other privileges
"""
authorize(required_privilege,
self.user.username,
node_id=self.params.node_id)
try:
status = PrivilegeStatus(
privileges.get_matrix_by_name(privilege_name))
if status not in from_statuses:
raise errors.OperationNotAllowed(
"can't {} petition in {} status".format(
action, status.name))
else:
privileges.set_matrix_by_name(privilege_name, to_status)
privilege_model.privileges = privileges
privilege_model.modifier = self.user.username
privilege_model.save()
except AttributeError as e:
raise errors.ParamsInvalidError(str(e))
else:
return self.write_json(privilege_model.for_json())
def authorize(privilege, username, node_id=None, hostname=None):
"""
:type privilege: PrivilegeBase
:type username: basestring
:type node_id: int
:type hostname: basestring
"""
if not node_id:
if not hostname:
raise errors.ParamsInvalidError(
"must have parameter node_id or hostname")
else:
server = RawServer.query \
.options(load_only(RawServer.id)) \
.options(joinedload(RawServer.nodes).load_only("node_id")) \
.filter_by(hostname=hostname).first_or_404()
nodes = [TreeNode(node.node_id) for node in server.nodes]
else:
nodes = [TreeNode(node_id)]
node_ids = {
n.id
for n in chain(*[tree_node.parents for tree_node in nodes])
}
node_ids |= {n.id for n in nodes}
privilege_models = PrivilegeType.query \
.options(load_only(PrivilegeType._matrix)) \
.filter((PrivilegeType.node_id.in_(node_ids))) \
.filter_by(privilege_type=privilege.name,
username=username) \
.all()
if not privilege_models:
# raise errors.DoesNotExist('You have not applied for this type of privilege.')
raise errors.HasNoPermission(
"Require {} privilege to access this resource, you havn't apply for it yet"
.format(privilege))
if not any(p.has_privilege(privilege) for p in privilege_models):
# raise errors.HasNoPermission("Privilege has not been applied for, is applying, is rejected or has been revoked.")
raise errors.HasNoPermission(
"Require {} privilege to access this resource".format(privilege))
def get(self, node_id):
privilege_type = self.get_argument('type', None)
status_str = self.get_argument('status', None)
limit = int(self.get_argument('limit', 0))
index = int(self.get_argument('index', 1))
username = self.get_argument('username', None)
privilege_types = PrivilegeType.query.options(undefer_group("audit")) \
.filter(~PrivilegeType.username.like(settings.AUTH_TOKEN_PREFIX + "%")) \
.order_by(PrivilegeType.ctime.desc())
if username:
privilege_types = privilege_types.filter(
PrivilegeType.username == username)
node_id = int(node_id)
if node_id != settings.TREE_ROOT_ID:
node = TreeNode(node_id)
node_ids = [n.id for n in node.offspring_treenode]
privilege_types = privilege_types.filter(
PrivilegeType.node_id.in_(node_ids))
if status_str:
try:
status = PrivilegeStatus[status_str]
except KeyError:
raise errors.ParamsInvalidError("status %s invalid" %
status_str)
status_mask = status.value * sum(2**i for i in xrange(0, 64, 4))
privilege_types = privilege_types.filter(
PrivilegeType._matrix.op('&')(status_mask) != 0b0)
if privilege_type:
privilege_types = privilege_types.filter_by(
privilege_type=privilege_type)
if limit:
count, privilege_types = privilege_types.paginator(limit, index)
data = privilege_types.all()
self.write_json(
format_paginator_resposne(data, count, limit, index))
else:
self.write_data(privilege_types.all())
def apply(self):
privilege_type = self.params.privilege_type
privilege_names = self.params.privilege_names
if not privilege_names:
raise errors.ParamsInvalidError("privilege_names is required")
privilege_model = PrivilegeType.query.filter_by(
node_id=self.params.node_id,
username=self.user.username,
privilege_type=privilege_type.name).first()
if privilege_model:
privilege = privilege_model.privileges
for privilege_name in privilege_names:
status = privilege.get_matrix_by_name(privilege_name)
if status == PrivilegeStatus.applying:
raise errors.OperationNotAllowed(
"user %s have been applying <%s %s> on node id %s" %
(self.user.username, privilege_type.name,
privilege_name, self.params.node_id))
elif status == PrivilegeStatus.approved:
raise errors.OperationNotAllowed(
"user %s have been granted <%s %s> on node id %s" %
(self.user.username, privilege_type.name,
privilege_name, self.params.node_id))
else:
privilege.set_matrix_by_name(privilege_name,
PrivilegeStatus.applying)
privilege_model.privileges = privilege
else:
privilege = privilege_type()
for privilege_name in privilege_names:
privilege.set_matrix_by_name(privilege_name,
PrivilegeStatus.applying)
privilege_model = PrivilegeType(node_id=self.params.node_id,
username=self.user.username,
privilege_cls=privilege)
privilege_model.save()
return self.write_json({"message": "apply privilege succeed"})
def apply_token(self):
privilege_type = self.params.privilege_type
privilege = privilege_type()
for privilege_name in privilege.enum.__members__.keys():
if privilege_name == "admin":
continue
privilege.set_matrix_by_name(privilege_name,
PrivilegeStatus.applying)
prefixed_token = self.params.token
if not prefixed_token:
prefixed_token = encrypt_token(self.user.username)
privilege_model = PrivilegeType(node_id=self.params.node_id,
username=prefixed_token,
privilege_cls=privilege)
try:
privilege_model.save()
except IntegrityError:
raise errors.ParamsInvalidError(
'Token has already been applied for this privilege')
return self.write_json({"message": "apply token succeed"})