def get(self, request):
"""
Retrieve permissions for all resources or for a particular resource.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:return: Response containing a list of permissions for resource/s
:rtype: django.http.HttpResponse
"""
query_params = request.GET
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = factory.permission_query_manager().find_all()
else:
permission = factory.permission_query_manager().find_by_resource(resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
# Isolate the database schema change to behind the api. This should be transparent
users = {}
for item in permission['users']:
users[item['username']] = item['permissions']
permission['users'] = users
permission_manager = factory.permission_manager()
for user, ops in users.items():
users[user] = [permission_manager.operation_value_to_name(o) for o in ops]
return generate_json_response_with_pulp_encoder(permissions)
def is_authorized(self, resource, login, operation):
"""
Check to see if a user is authorized to perform an operation on a resource
@type resource: str
@param resource: pulp resource path
@type login: str
@param login: login of user to check permissions for
@type operation: int
@param operation: operation to be performed on resource
@rtype: bool
@return: True if the user is authorized for the operation on the resource,
False otherwise
"""
if self.is_superuser(login):
return True
permission_query_manager = factory.permission_query_manager()
parts = [p for p in resource.split('/') if p]
while parts:
current_resource = '/%s/' % '/'.join(parts)
permission = permission_query_manager.find_by_resource(current_resource)
if permission is not None:
if operation in permission['users'].get(login, []):
return True
parts = parts[:-1]
permission = Permission.get_collection().find_one({'resource' : '/'})
return (permission is not None and
operation in permission['users'].get(login, []))
def is_authorized(self, resource, login, operation):
"""
Check to see if a user is authorized to perform an operation on a resource
@type resource: str
@param resource: pulp resource path
@type login: str
@param login: login of user to check permissions for
@type operation: int
@param operation: operation to be performed on resource
@rtype: bool
@return: True if the user is authorized for the operation on the resource,
False otherwise
"""
if self.is_superuser(login):
return True
permission_query_manager = factory.permission_query_manager()
parts = [p for p in resource.split('/') if p]
while parts:
current_resource = '/%s/' % '/'.join(parts)
permission = permission_query_manager.find_by_resource(current_resource)
if permission is not None:
if operation in permission_query_manager.find_user_permission(permission, login):
return True
parts = parts[:-1]
permission = Permission.get_collection().find_one({'resource': '/'})
return (permission is not None and
operation in permission_query_manager.find_user_permission(permission, login))
def test_syntactic_sugar_methods(self):
"""
Tests the syntactic sugar methods for retrieving specific managers.
"""
# Setup
factory.initialize()
# Test
self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
self.assertTrue(isinstance(factory.role_manager(), RoleManager))
self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
self.assertTrue(isinstance(factory.user_manager(), UserManager))
self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager))
self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
self.assertTrue(isinstance(factory.content_manager(), ContentManager))
self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def is_authorized(resource, login, operation):
"""
Check to see if a user is authorized to perform an operation on a resource.
:param resource: pulp resource url
:type resource: str
:param login: login of user to check permissions for
:type login: str
:param operation: operation to be performed on resource
:type operation: int
:return: True if the user is authorized for the operation on the resource, False otherwise
:rtype: bool
"""
user = model.User.objects.get_or_404(login=login)
if user.is_superuser():
return True
permission_query_manager = manager_factory.permission_query_manager()
# User is authorized if they have access to the resource or any of the its base resources.
parts = [p for p in resource.split('/') if p]
while parts:
current_resource = '/%s/' % '/'.join(parts)
permission = permission_query_manager.find_by_resource(current_resource)
if permission is not None:
if operation in permission_query_manager.find_user_permission(permission, login):
return True
parts = parts[:-1]
permission = Permission.get_collection().find_one({'resource': '/'})
return (permission is not None and
operation in permission_query_manager.find_user_permission(permission, login))
def test_syntactic_sugar_methods(self):
"""
Tests the syntactic sugar methods for retrieving specific managers.
"""
# Setup
factory.initialize()
# Test
self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
self.assertTrue(isinstance(factory.role_manager(), RoleManager))
self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
self.assertTrue(isinstance(factory.user_manager(), UserManager))
self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
self.assertTrue(isinstance(factory.repo_unit_association_manager(),
RepoUnitAssociationManager))
self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
self.assertTrue(isinstance(factory.content_manager(), ContentManager))
self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def GET(self):
query_params = web.input()
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = managers.permission_query_manager().find_all()
else:
permission = managers.permission_query_manager().find_by_resource(resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
users = permission['users']
for user, ops in users.items():
users[user] = [operation_to_name(o) for o in ops]
return self.ok(permissions)
def GET(self):
query_params = web.input()
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = managers.permission_query_manager().find_all()
else:
permission = managers.permission_query_manager().find_by_resource(
resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
users = permission['users']
for user, ops in users.items():
users[user] = [operation_to_name(o) for o in ops]
return self.ok(permissions)
def setUp(self):
super(RoleManagerTests, self).setUp()
self.alpha_num = string.letters + string.digits
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.role_manager.ensure_super_user_role()
manager_factory.principal_manager().clear_principal()
def setUp(self):
super(PermissionManagerTests, self).setUp()
self.alpha_num = string.letters + string.digits
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.role_manager.ensure_super_user_role()
manager_factory.principal_manager().clear_principal()
def setUp(self):
super(AuthControllersTests, self).setUp()
self.user_manager = manager_factory.user_manager()
self.user_query_manager = manager_factory.user_query_manager()
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.password_manager = manager_factory.password_manager()
self.role_manager.ensure_super_user_role()
self.user_manager.ensure_admin()
def setUp(self):
super(AuthControllersTests, self).setUp()
self.user_manager = manager_factory.user_manager()
self.user_query_manager = manager_factory.user_query_manager()
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager(
)
self.password_manager = manager_factory.password_manager()
self.role_manager.ensure_super_user_role()
self.user_manager.ensure_admin()
def GET(self):
query_params = web.input()
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = managers.permission_query_manager().find_all()
else:
permission = managers.permission_query_manager().find_by_resource(resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
# Isolate the database schema change to behind the api. This should be transparent
users = {}
for item in permission['users']:
users[item['username']] = item['permissions']
permission['users'] = users
permission_manager = managers.permission_manager()
for user, ops in users.items():
users[user] = [permission_manager.operation_value_to_name(o) for o in ops]
return self.ok(permissions)
def revoke(resource, login, operations):
"""
Revoke permission on a resource for a user and a set of operations.
:param resource: uri path representing a pulp resource
:type resource: str
:param login: login of user to revoke permissions from
:type login: str
:param operations: list of allowed operations being revoked
:type operations: list or tuple of integers
:raises InvalidValue: if some params are invalid
"""
permission_query_manager = factory.permission_query_manager()
# we don't revoke permissions from the system
if login == system.SYSTEM_LOGIN:
return
user = User.get_collection().find_one({'login': login})
if user is None:
raise InvalidValue(['login'])
permission = Permission.get_collection().find_one(
{'resource': resource})
if permission is None:
return
current_ops = permission_query_manager.find_user_permission(
permission, user['login'])
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
# delete the user from this permission if there are no more allowed operations
if not current_ops:
permission_query_manager.delete_user_permission(
permission, user['login'])
# delete the permission if there are no more users
if not permission['users']:
PermissionManager.delete_permission(resource)
return
Permission.get_collection().save(permission)
def revoke_all_permissions_from_user(self, login):
"""
Revoke all the permissions from a given user
@type login: str
@param login: login of the user to revoke all permissions from
@rtype: bool
@return: True on success
"""
for permission in factory.permission_query_manager().find_all():
if login not in permission['users']:
continue
del permission['users'][login]
Permission.get_collection().save(permission, safe=True)
return True
def revoke_all_permissions_from_user(self, login):
"""
Revoke all the permissions from a given user
:param login: login of the user to revoke all permissions from
:type login: str
"""
permission_query_manager = factory.permission_query_manager()
for permission in permission_query_manager.find_all():
if permission_query_manager.get_user_permission(permission, login) is None:
continue
permission_query_manager.delete_user_permission(permission, login)
if len(permission['users']) > 0:
Permission.get_collection().save(permission, safe=True)
else:
# Delete entire permission if there are no more users
Permission.get_collection().remove({'resource': permission['resource']}, safe=True)
def revoke(resource, login, operations):
"""
Revoke permission on a resource for a user and a set of operations.
:param resource: uri path representing a pulp resource
:type resource: str
:param login: login of user to revoke permissions from
:type login: str
:param operations: list of allowed operations being revoked
:type operations: list or tuple of integers
:raises InvalidValue: if some params are invalid
"""
permission_query_manager = factory.permission_query_manager()
# we don't revoke permissions from the system
if login == system.SYSTEM_LOGIN:
return
user = User.get_collection().find_one({'login': login})
if user is None:
raise InvalidValue(['login'])
permission = Permission.get_collection().find_one({'resource': resource})
if permission is None:
return
current_ops = permission_query_manager.find_user_permission(permission, user['login'])
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
# delete the user from this permission if there are no more allowed operations
if not current_ops:
permission_query_manager.delete_user_permission(permission, user['login'])
# delete the permission if there are no more users
if not permission['users']:
PermissionManager.delete_permission(resource)
return
Permission.get_collection().save(permission, safe=True)
def revoke_all_permissions_from_user(self, login):
"""
Revoke all the permissions from a given user
@type login: str
@param login: login of the user to revoke all permissions from
@rtype: bool
@return: True on success
"""
for permission in factory.permission_query_manager().find_all():
if login not in permission['users']:
continue
del permission['users'][login]
if permission['users']:
Permission.get_collection().save(permission, safe=True)
else:
# Delete entire permission if there are no more users
Permission.get_collection().remove({'resource':permission['resource']}, safe=True)
def revoke_all_permissions_from_user(self, login):
"""
Revoke all the permissions from a given user
@type login: str
@param login: login of the user to revoke all permissions from
@rtype: bool
@return: True on success
"""
for permission in factory.permission_query_manager().find_all():
if login not in permission['users']:
continue
del permission['users'][login]
if permission['users']:
Permission.get_collection().save(permission, safe=True)
else:
# Delete entire permission if there are no more users
Permission.get_collection().remove(
{'resource': permission['resource']}, safe=True)
def grant(resource, login, operations):
"""
Grant permission on a resource for a user and a set of operations.
:param resource: uri path representing a pulp resource
:type resource: str
:param login: login of user to grant permissions to
:type login: str
:param operations:list of allowed operations being granted
:type operations: list or tuple of integers
:raises InvalidValue: if some params are invalid
"""
# we don't grant permissions to the system
if login == system.SYSTEM_LOGIN:
return
user = User.get_collection().find_one({'login': login})
if user is None:
raise InvalidValue(['login'])
# Make sure resource is a valid string or unicode
if not isinstance(resource, basestring):
raise InvalidValue(resource)
# Get or create permission if it doesn't already exist
permission = Permission.get_collection().find_one({'resource': resource})
if permission is None:
permission = PermissionManager.create_permission(resource)
current_ops = factory.permission_query_manager().find_user_permission(permission,
user['login'],
create=True)
for o in operations:
if o in current_ops:
continue
current_ops.append(o)
Permission.get_collection().save(permission, safe=True)
def is_authorized(resource, login, operation):
"""
Check to see if a user is authorized to perform an operation on a resource.
:param resource: pulp resource url
:type resource: str
:param login: login of user to check permissions for
:type login: str
:param operation: operation to be performed on resource
:type operation: int
:return: True if the user is authorized for the operation on the resource, False otherwise
:rtype: bool
"""
user = model.User.objects.get_or_404(login=login)
if user.is_superuser():
return True
permission_query_manager = manager_factory.permission_query_manager()
# User is authorized if they have access to the resource or any of the its base resources.
parts = [p for p in resource.split('/') if p]
while parts:
current_resource = '/%s/' % '/'.join(parts)
permission = permission_query_manager.find_by_resource(
current_resource)
if permission is not None:
if operation in permission_query_manager.find_user_permission(
permission, login):
return True
parts = parts[:-1]
permission = Permission.get_collection().find_one({'resource': '/'})
return (permission is not None
and operation in permission_query_manager.find_user_permission(
permission, login))
