def _get_proxy_service(self): # pylint: disable=no-self-use """Get proxy service host and port info from environment.""" proxy_conn_info = { PROTOCOL: ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PROTOCOL', default='https'), HOST: ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_HOST', default='localhost'), PORT: ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PORT', default='443'), PATH: ENVIRONMENT.get_value('PRINCIPAL_PROXY_SERVICE_PATH', default='/r/insights-services'), SOURCE_CERT: ENVIRONMENT.bool('PRINCIPAL_PROXY_SERVICE_SOURCE_CERT', default=False), SSL_VERIFY: ENVIRONMENT.bool('PRINCIPAL_PROXY_SERVICE_SSL_VERIFY', default=True), USER_ENV: ENVIRONMENT.get_value('PRINCIPAL_PROXY_USER_ENV', default='env'), CLIENT_ID: ENVIRONMENT.get_value('PRINCIPAL_PROXY_CLIENT_ID', default='client_id'), API_TOKEN: ENVIRONMENT.get_value('PRINCIPAL_PROXY_API_TOKEN', default='token') } return proxy_conn_info
def _get_proxy_service(self): # pylint: disable=no-self-use """Get proxy service host and port info from environment.""" proxy_conn_info = { PROTOCOL: ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PROTOCOL", default="https"), HOST: ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_HOST", default="localhost"), PORT: ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PORT", default="443"), PATH: ENVIRONMENT.get_value("PRINCIPAL_PROXY_SERVICE_PATH", default="/r/insights-services"), SOURCE_CERT: ENVIRONMENT.bool("PRINCIPAL_PROXY_SERVICE_SOURCE_CERT", default=False), SSL_VERIFY: ENVIRONMENT.bool("PRINCIPAL_PROXY_SERVICE_SSL_VERIFY", default=True), USER_ENV: ENVIRONMENT.get_value("PRINCIPAL_PROXY_USER_ENV", default="env"), CLIENT_ID: ENVIRONMENT.get_value("PRINCIPAL_PROXY_CLIENT_ID", default="client_id"), API_TOKEN: ENVIRONMENT.get_value("PRINCIPAL_PROXY_API_TOKEN", default="token"), } return proxy_conn_info
def get_group_queryset(request): """Obtain the queryset for groups.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) if scope != ACCOUNT_SCOPE: return get_object_principal_queryset(request, scope, Group) if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return Group.objects.annotate(principalCount=Count('principals', distinct=True), policyCount=Count('policies', distinct=True)) if request.user.admin: return Group.objects.annotate(principalCount=Count('principals', distinct=True), policyCount=Count('policies', distinct=True)) username = request.query_params.get('username') if username: decoded = request.user.identity_header.get('decoded', {}) identity_username = decoded.get('identity', {}).get('user', {}).get('username') if username != identity_username: return Group.objects.none() else: return Group.objects.filter(principals__username=username) access = request.user.access access_op = 'read' if request.method in ('POST', 'PUT'): access_op = 'write' res_list = access.get('group', {}).get(access_op, []) if not res_list: return Group.objects.none() if '*' in res_list: return Group.objects.annotate(principalCount=Count('principals', distinct=True), policyCount=Count('policies', distinct=True)) return Group.objects.filter(uuid__in=res_list).annotate(principalCount=Count('principals', distinct=True), policyCount=Count('policies', distinct=True))
def has_permission(self, request, view): """Check permission based on the defined access.""" if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return True if request.user.admin: return True if request.method in permissions.SAFE_METHODS: if is_scope_principal(request): return True username = request.query_params.get('username') if username: decoded = request.user.identity_header.get('decoded', {}) identity_username = decoded.get('identity', {}).get('user', {}).get('username') return username == identity_username else: group_read = request.user.access.get('group', {}).get('read', []) if group_read: return True else: group_write = request.user.access.get('group', {}).get('write', []) if group_write: return True return False
def has_group_all_access(request): """Quick check to determine if a request should have access to all groups on a tenant.""" return ( ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool) or request.user.admin or (request.path == reverse("group-list") and request.method == "GET") )
def get_role_queryset(request): """Obtain the queryset for roles.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) base_query = annotate_roles_with_counts( Role.objects.prefetch_related("access")) if scope != ACCOUNT_SCOPE: queryset = get_object_principal_queryset( request, scope, Role, **{ "prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles" }, ) return annotate_roles_with_counts(queryset) username = request.query_params.get("username") if username: if username != request.user.username and not request.user.admin: return Role.objects.none() else: queryset = get_object_principal_queryset( request, PRINCIPAL_SCOPE, Role, **{ "prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles" }, ) return annotate_roles_with_counts(queryset) if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return base_query if request.user.admin: return base_query access = request.user.access access_op = "read" if request.method in ("POST", "PUT"): access_op = "write" res_list = access.get("role", {}).get(access_op, []) if not res_list: return Role.objects.none() if "*" in res_list: return base_query return base_query.filter(uuid__in=res_list)
def has_permission(self, request, view): """Check permission based on the defined access.""" if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return True if request.user.admin: return True if request.method in permissions.SAFE_METHODS: if is_scope_principal(request): return True role_read = request.user.access.get('role', {}).get('read', []) if role_read: return True else: role_write = request.user.access.get('role', {}).get('write', []) if role_write: return True return False
def get_policy_queryset(request): """Obtain the queryset for policies.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) if scope != ACCOUNT_SCOPE: return get_object_principal_queryset(request, scope, Policy) if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return Policy.objects.all() if request.user.admin: return Policy.objects.all() access = user_has_perm(request, "policy") if access == "All": return Policy.objects.all() if access == "None": return Policy.objects.none() return Policy.objects.filter(uuid__in=access)
def get_role_queryset(request): """Obtain the queryset for roles.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) if scope != ACCOUNT_SCOPE: return get_object_principal_queryset(request, scope, Role) if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return Role.objects.annotate(policyCount=Count('policies', distinct=True)) if request.user.admin: return Role.objects.annotate(policyCount=Count('policies', distinct=True)) access = request.user.access access_op = 'read' if request.method in ('POST', 'PUT'): access_op = 'write' res_list = access.get('role', {}).get(access_op, []) if not res_list: return Role.objects.none() if '*' in res_list: return Role.objects.annotate(policyCount=Count('policies', distinct=True)) return Role.objects.filter(uuid__in=res_list).annotate(policyCount=Count('policies', distinct=True))
def has_permission(self, request, view): """Check permission based on the defined access.""" if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return True if request.user.admin: return True if request.method in permissions.SAFE_METHODS: if is_scope_principal(request): return True policy_read = request.user.access.get("policy", {}).get("read", []) if policy_read: return True else: policy_write = request.user.access.get("policy", {}).get("write", []) if policy_write: return True return False
def get_policy_queryset(request): """Obtain the queryset for policies.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) if scope != ACCOUNT_SCOPE: return get_object_principal_queryset(request, scope, Policy) if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return Policy.objects.all() if request.user.admin: return Policy.objects.all() access = request.user.access access_op = "read" if request.method in ("POST", "PUT"): access_op = "write" res_list = access.get("policy", {}).get(access_op, []) if not res_list: return Policy.objects.none() if "*" in res_list: return Policy.objects.all() return Policy.objects.filter(uuid__in=res_list)
def get_policy_queryset(request): """Obtain the queryset for policies.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) if scope != ACCOUNT_SCOPE: return get_object_principal_queryset(request, scope, Policy) if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return Policy.objects.all() if request.user.admin: return Policy.objects.all() access = request.user.access access_op = 'read' if request.method in ('POST', 'PUT'): access_op = 'write' res_list = access.get('policy', {}).get(access_op, []) if not res_list: return Policy.objects.none() if '*' in res_list: return Policy.objects.all() return Policy.objects.filter(uuid__in=res_list)
def get_role_queryset(request): """Obtain the queryset for roles.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) base_query = annotate_roles_with_counts(Role.objects.prefetch_related("access")) if scope != ACCOUNT_SCOPE: queryset = get_object_principal_queryset( request, scope, Role, **{"prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles"}, ) return annotate_roles_with_counts(queryset) username = request.query_params.get("username") if username: if username != request.user.username and not request.user.admin: return Role.objects.none() else: queryset = get_object_principal_queryset( request, PRINCIPAL_SCOPE, Role, **{"prefetch_lookups_for_ids": "access", "prefetch_lookups_for_groups": "policies__roles"}, ) return annotate_roles_with_counts(queryset) if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return base_query if request.user.admin: return base_query access = user_has_perm(request, "role") if access == "All": return base_query if access == "None": return Role.objects.none() return annotate_roles_with_counts(Role.objects.filter(uuid__in=access))
def get_role_queryset(request): """Obtain the queryset for roles.""" scope = request.query_params.get(SCOPE_KEY, ACCOUNT_SCOPE) base_query = annotate_roles_with_counts(Role.objects.prefetch_related('access')) if scope != ACCOUNT_SCOPE: queryset = get_object_principal_queryset(request, scope, Role, **{'prefetch_lookups_for_ids': 'access', 'prefetch_lookups_for_groups': 'policies__roles'}) return annotate_roles_with_counts(queryset) username = request.query_params.get('username') if username: if username != request.user.username and not request.user.admin: return Role.objects.none() else: queryset = get_object_principal_queryset(request, PRINCIPAL_SCOPE, Role, **{'prefetch_lookups_for_ids': 'access', 'prefetch_lookups_for_groups': 'policies__roles'}) return annotate_roles_with_counts(queryset) if ENVIRONMENT.get_value('ALLOW_ANY', default=False, cast=bool): return base_query if request.user.admin: return base_query access = request.user.access access_op = 'read' if request.method in ('POST', 'PUT'): access_op = 'write' res_list = access.get('role', {}).get(access_op, []) if not res_list: return Role.objects.none() if '*' in res_list: return base_query return base_query.filter(uuid__in=res_list)
def has_permission(self, request, view): """Check permission based on the defined access.""" if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return True if request.user.admin: return True if request.method in permissions.SAFE_METHODS: if is_scope_principal(request) or request._request.path == reverse( "group-list"): return True username = request.query_params.get("username") if username: return username == request.user.username else: group_read = request.user.access.get("group", {}).get("read", []) if group_read: return True else: group_write = request.user.access.get("group", {}).get("write", []) if group_write: return True return False
def has_permission(self, request, view): """Check permission based on Account Admin property.""" if ENVIRONMENT.get_value("ALLOW_ANY", default=False, cast=bool): return True return request.user.admin