def _check_permissions(self, msg):
allowed = permissions.get(config.controller['permissions_path'])
perms = permissions.check(allowed, self.sender, msg['collection'],
msg['id'])
if self.body['action'] not in perms:
raise ValueError("You don't have permission to do that.")
def _check_permissions(self, msg):
allowed = permissions.get(config.controller['permissions_path'])
perms = permissions.check(allowed,
self.sender,
msg['collection'],
msg['id'])
if self.body['action'] not in perms:
raise ValueError("You don't have permission to do that.")
def test_wrong_user(self):
perm = permissions.process(self.line)
user = '******'
collection = 'packages'
res_id = '/etc/httpd/httpd.conf'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_wrong_permission(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/httpd/httpd.conf'
action = 'update'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_wrong_permission(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/httpd/httpd.conf'
action = 'update'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_deny_wrong_res_id(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_allow_wildcard_res_id(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/httpd/httpd.conf'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def test_allow_wildcard_res_id(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/httpd/httpd.conf'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def test_wrong_user(self):
perm = permissions.process(self.line)
user = '******'
collection = 'packages'
res_id = '/etc/httpd/httpd.conf'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_deny_wrong_res_id(self):
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_allow_space_in_res_id(self):
self.line = """cortex files "/home/user/My Images/*" CRD"""
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/home/user/My Images/test.png'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def test_nothing_allowed(self):
self.line = "* * * -"
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_lines_order_matter_success(self):
fp = self._get_fp('permissions.conf')
perm_list = permissions.get(fp)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'update'
perms = permissions.check(perm_list, user, collection, res_id)
self.assertTrue(action in perms)
def test_lines_order_matter_fail(self):
fp = self._get_fp('permissions.conf')
perm_list = permissions.get(fp)
user = '******'
collection = 'executables'
res_id = 'rm -rf /'
action = 'update'
perms = permissions.check(perm_list, user, collection, res_id)
self.assertFalse(action in perms)
def test_if_cannot_read_then_cannot_ping(self):
self.line = "* files * -"
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = ''
action = 'ping'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_allow_wildcard_collection(self):
self.line = "cortex * * CRD"
perm = permissions.process(self.line)
user = '******'
collection = 'packages'
res_id = 'httpd'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def test_allow_wildcard_collection(self):
self.line = "cortex * * CRD"
perm = permissions.process(self.line)
user = '******'
collection = 'packages'
res_id = 'httpd'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def test_if_cannot_read_then_cannot_ping(self):
self.line = "* files * -"
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = ''
action = 'ping'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_nothing_allowed(self):
self.line = "* * * -"
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertFalse(action in perms)
def test_lines_order_matter_success(self):
fp = self._get_fp('permissions.conf')
perm_list = permissions.get(fp)
user = '******'
collection = 'files'
res_id = '/etc/hosts'
action = 'update'
perms = permissions.check(perm_list, user, collection, res_id)
self.assertTrue(action in perms)
def test_lines_order_matter_fail(self):
fp = self._get_fp('permissions.conf')
perm_list = permissions.get(fp)
user = '******'
collection = 'executables'
res_id = 'rm -rf /'
action = 'update'
perms = permissions.check(perm_list, user, collection, res_id)
self.assertFalse(action in perms)
def test_allow_space_in_res_id(self):
self.line = """cortex files "/home/user/My Images/*" CRD"""
perm = permissions.process(self.line)
user = '******'
collection = 'files'
res_id = '/home/user/My Images/test.png'
action = 'read'
perms = permissions.check([perm], user, collection, res_id)
self.assertTrue(action in perms)
def call_method(self, user_id, body, check_perm=True):
"""Reads the collection the message needs to reach and then calls the
process method of that collection. It returns the response built by the
collection.
"""
response = {}
# Check if collection is specified and that the resource actually
# exists.
if not isinstance(body, dict):
raise ResourceException("Bad message formatting")
# Check if the message body contains filters.
filters = body.get('filters')
res_id = body.get('id') or ''
if check_perm:
perms = permissions.check(self.permissions,
user_id,
body.get('collection'),
res_id)
if body.get('action') not in perms:
raise ResourceException("You don't have permission to do "
"that.")
if filters:
if not self._check_filters(filters):
raise ResourceException("Filters did not match")
collection = body.get('collection')
# Get a reference to the corresponding resource object.
# Check if the object isn't already instantiated.
try:
instance = self.locator.get_instance(collection)
# Call the resource's generic process method
response = instance.process(body)
# Check if it can be dumped in JSON format
try:
json.dumps(response)
except UnicodeDecodeError, err:
raise ResourceException("Problem when decoding payload.")
except ResourceException, err:
self.logger.debug("Resource exception: %s" % err)
if response.get('status'):
del response['status']
response['error'] = '%s' % err
response['uuid'] = self.uuid
def call_method(self, user_id, body, check_perm=True):
"""Reads the collection the message needs to reach and then calls the
process method of that collection. It returns the response built by the
collection.
"""
response = {}
# Check if collection is specified and that the resource actually
# exists.
if not isinstance(body, dict):
raise ResourceException("Bad message formatting")
# Check if the message body contains filters.
filters = body.get('filters')
if check_perm:
perms = permissions.check(self.permissions, user_id,
body.get('collection'), body.get('id'))
if body.get('action') not in perms:
raise ResourceException("You don't have permission to do "
"that.")
if filters:
if not self._check_filters(filters):
raise ResourceException("Filters did not match")
collection = body.get('collection')
# Get a reference to the corresponding resource object.
# Check if the object isn't already instantiated.
try:
instance = self.locator.get_instance(collection)
# Call the resource's generic process method
response = instance.process(body)
# Check if it can be dumped in JSON format
try:
json.dumps(response)
except UnicodeDecodeError, err:
raise ResourceException("Problem when decoding payload.")
except ResourceException, err:
self.logger.debug("Resource exception: %s" % err)
if response.get('status'):
del response['status']
response['error'] = '%s' % err
response['uuid'] = self.uuid