def user_has_rule_action_permission(user_db, action_ref): """ Check that the currently logged-in has necessary permissions on the action used / referenced inside the rule. Note: Rules can reference actions which don't yet exist in the system. """ if not cfg.CONF.rbac.enable: return True action_db = action_utils.get_action_by_ref(ref=action_ref) if not action_db: # We allow rules to be created for actions which don't yet exist in the # system ref = ResourceReference.from_string_reference(ref=action_ref) action_db = ActionDB(pack=ref.pack, name=ref.name, ref=action_ref) action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION) has_action_permission = action_resolver.user_has_resource_db_permission( user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) if has_action_permission: return True return False
def test_get_resolver_for_resource_type_valid_resource_type(self): valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION, ResourceType.RULE, ResourceType.EXECUTION, ResourceType.KEY_VALUE_PAIR] for resource_type in valid_resources_types: cls = get_resolver_for_resource_type(resource_type=resource_type) resource_name = resource_type.split('_')[0].lower() class_name = cls.__name__.lower() self.assertTrue(resource_name in class_name)
def test_get_resolver_for_resource_type_valid_resource_type(self): valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION, ResourceType.RULE, ResourceType.EXECUTION, ResourceType.KEY_VALUE_PAIR, ResourceType.WEBHOOK] for resource_type in valid_resources_types: resolver_instance = get_resolver_for_resource_type(resource_type=resource_type) resource_name = resource_type.split('_')[0].lower() class_name = resolver_instance.__class__.__name__.lower() self.assertTrue(resource_name in class_name)
def test_get_resolver_for_resource_type_valid_resource_type(self): valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION, ResourceType.RULE, ResourceType.RULE_ENFORCEMENT, ResourceType.EXECUTION, ResourceType.KEY_VALUE_PAIR, ResourceType.WEBHOOK] for resource_type in valid_resources_types: resolver_instance = get_resolver_for_resource_type(resource_type=resource_type) resource_name = resource_type.split('_')[0].lower() class_name = resolver_instance.__class__.__name__.lower() self.assertTrue(resource_name in class_name)
def user_has_rule_trigger_permission(user_db, trigger): """ Check that the currently logged-in has necessary permissions on the trigger used / referenced inside the rule. """ if not cfg.CONF.rbac.enable: return True rules_resolver = resolvers.get_resolver_for_resource_type(ResourceType.RULE) has_trigger_permission = rules_resolver.user_has_trigger_permission(user_db=user_db, trigger=trigger) if has_trigger_permission: return True return False
def request_user_has_rule_action_permission(request, action_ref): """ Check that the currently logged-in has necessary permissions on the action used / referenced inside the rule. """ if not cfg.CONF.rbac.enable: return True user_db = get_user_db_from_request(request=request) action_db = action_utils.get_action_by_ref(ref=action_ref) action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION) has_action_permission = action_resolver.user_has_resource_db_permission( user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) if has_action_permission: return True return False
def request_user_has_rule_action_permission(request, action_ref): """ Check that the currently logged-in has necessary permissions on the action used / referenced inside the rule. """ if not cfg.CONF.rbac.enable: return True user_db = get_user_db_from_request(request=request) action_db = action_utils.get_action_by_ref(ref=action_ref) action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION) has_action_permission = action_resolver.user_has_resource_permission( user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) if has_action_permission: return True return False