def user_has_rule_action_permission(user_db, action_ref):
"""
Check that the currently logged-in has necessary permissions on the action used / referenced
inside the rule.
Note: Rules can reference actions which don't yet exist in the system.
"""
if not cfg.CONF.rbac.enable:
return True
action_db = action_utils.get_action_by_ref(ref=action_ref)
if not action_db:
# We allow rules to be created for actions which don't yet exist in the
# system
ref = ResourceReference.from_string_reference(ref=action_ref)
action_db = ActionDB(pack=ref.pack, name=ref.name, ref=action_ref)
action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION)
has_action_permission = action_resolver.user_has_resource_db_permission(
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
if has_action_permission:
return True
return False
def user_has_rule_action_permission(user_db, action_ref):
"""
Check that the currently logged-in has necessary permissions on the action used / referenced
inside the rule.
Note: Rules can reference actions which don't yet exist in the system.
"""
if not cfg.CONF.rbac.enable:
return True
action_db = action_utils.get_action_by_ref(ref=action_ref)
if not action_db:
# We allow rules to be created for actions which don't yet exist in the
# system
ref = ResourceReference.from_string_reference(ref=action_ref)
action_db = ActionDB(pack=ref.pack, name=ref.name, ref=action_ref)
action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION)
has_action_permission = action_resolver.user_has_resource_db_permission(
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
if has_action_permission:
return True
return False
def test_get_resolver_for_resource_type_valid_resource_type(self):
valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION,
ResourceType.RULE, ResourceType.EXECUTION,
ResourceType.KEY_VALUE_PAIR]
for resource_type in valid_resources_types:
cls = get_resolver_for_resource_type(resource_type=resource_type)
resource_name = resource_type.split('_')[0].lower()
class_name = cls.__name__.lower()
self.assertTrue(resource_name in class_name)
def test_get_resolver_for_resource_type_valid_resource_type(self):
valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION,
ResourceType.RULE, ResourceType.EXECUTION,
ResourceType.KEY_VALUE_PAIR,
ResourceType.WEBHOOK]
for resource_type in valid_resources_types:
resolver_instance = get_resolver_for_resource_type(resource_type=resource_type)
resource_name = resource_type.split('_')[0].lower()
class_name = resolver_instance.__class__.__name__.lower()
self.assertTrue(resource_name in class_name)
def test_get_resolver_for_resource_type_valid_resource_type(self):
valid_resources_types = [ResourceType.PACK, ResourceType.SENSOR, ResourceType.ACTION,
ResourceType.RULE, ResourceType.RULE_ENFORCEMENT,
ResourceType.EXECUTION,
ResourceType.KEY_VALUE_PAIR,
ResourceType.WEBHOOK]
for resource_type in valid_resources_types:
resolver_instance = get_resolver_for_resource_type(resource_type=resource_type)
resource_name = resource_type.split('_')[0].lower()
class_name = resolver_instance.__class__.__name__.lower()
self.assertTrue(resource_name in class_name)
def user_has_rule_trigger_permission(user_db, trigger):
"""
Check that the currently logged-in has necessary permissions on the trigger used / referenced
inside the rule.
"""
if not cfg.CONF.rbac.enable:
return True
rules_resolver = resolvers.get_resolver_for_resource_type(ResourceType.RULE)
has_trigger_permission = rules_resolver.user_has_trigger_permission(user_db=user_db,
trigger=trigger)
if has_trigger_permission:
return True
return False
def user_has_rule_trigger_permission(user_db, trigger):
"""
Check that the currently logged-in has necessary permissions on the trigger used / referenced
inside the rule.
"""
if not cfg.CONF.rbac.enable:
return True
rules_resolver = resolvers.get_resolver_for_resource_type(ResourceType.RULE)
has_trigger_permission = rules_resolver.user_has_trigger_permission(user_db=user_db,
trigger=trigger)
if has_trigger_permission:
return True
return False
def request_user_has_rule_action_permission(request, action_ref):
"""
Check that the currently logged-in has necessary permissions on the action used / referenced
inside the rule.
"""
if not cfg.CONF.rbac.enable:
return True
user_db = get_user_db_from_request(request=request)
action_db = action_utils.get_action_by_ref(ref=action_ref)
action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION)
has_action_permission = action_resolver.user_has_resource_db_permission(
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
if has_action_permission:
return True
return False
def request_user_has_rule_action_permission(request, action_ref):
"""
Check that the currently logged-in has necessary permissions on the action used / referenced
inside the rule.
"""
if not cfg.CONF.rbac.enable:
return True
user_db = get_user_db_from_request(request=request)
action_db = action_utils.get_action_by_ref(ref=action_ref)
action_resolver = resolvers.get_resolver_for_resource_type(ResourceType.ACTION)
has_action_permission = action_resolver.user_has_resource_permission(
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
if has_action_permission:
return True
return False
