def __init__(self, client_realm, server_realm, authz_remote):
gssapiprotocol.GSSAPILineServer.__init__(self)
self.client_realm = client_realm
self.server_realm = server_realm
self.authorizer = None
if authz_remote:
self.authorizer = authz.ClientAuthorizer(self.peer, authz_remote)
def test_authorize(self):
"""Test request authorization."""
ipasrv = ipa525.IPA525Server(client_realm=['c_realm.org'],
server_realm='s_realm.org',
authz_remote=None)
# Successful self authorization.
ipasrv._authorize('user1@c_realm.org', 'user1@s_realm.org')
# Invalid client realm.
self.assertRaises(authz.AuthorizationError, ipasrv._authorize,
'*****@*****.**', 'user1@s_realm.org')
# Different user, authorized is not specified.
self.assertRaises(authz.AuthorizationError, ipasrv._authorize,
'user1@c_realm.org', 'user2@s_realm.org')
ipasrv.authorizer = authz.ClientAuthorizer(lambda: 'userX@c_realm.org',
'/var/run/auth.sock')
# Successful self authorization.
ipasrv._authorize('user1@c_realm.org', 'user1@s_realm.org')
self.assertFalse(treadmill.restclient.post.called)
# Impersonation request
treadmill.restclient.post.return_value = mock.MagicMock()
ipasrv._authorize('userX@c_realm.org', 'user2@s_realm.org')
treadmill.restclient.post.assert_called_with(
['/var/run/auth.sock'],
'/userX@c_realm.org/ipa525/user',
payload={
'payload': None,
'pk': 'user2'
})
def invoke_grp(authz):
"""Directly invoke Treadmill API without REST."""
if authz is not None:
ctx.authorizer = authz_mod.ClientAuthorizer(
utils.get_current_username, authz)
else:
ctx.authorizer = authz_mod.NullAuthorizer()
if cli.OUTPUT_FORMAT is None:
raise click.BadParameter('must use --outfmt [json|yaml]')
def invoke(authz):
"""Directly invoke Treadmill API without REST."""
if authz is not None:
ctx.authorizer = authz_mod.ClientAuthorizer(
lambda: pwd.getpwuid(os.getuid()).pw_name, authz)
else:
ctx.authorizer = authz_mod.NullAuthorizer()
if cli.OUTPUT_FORMAT == 'pretty':
raise click.BadParameter('must use --outfmt [json|yaml]')
def get_authorizer(authz_arg=None):
"""Get authozrizer by argujents"""
def user_clbk():
"""Get current user from the request."""
return flask.g.get('user')
if authz_arg is None:
authorizer = authz.NullAuthorizer()
else:
authorizer = authz.ClientAuthorizer(user_clbk, authz_arg)
return authorizer
def init(apis, title=None, cors_origin=None, authz_arg=None):
"""Module initialization."""
blueprint = flask.Blueprint('v1', __name__)
api = restplus.Api(blueprint,
version='1.0',
title=title,
description="Treadmill REST API Documentation")
error_handlers.register(api)
# load up any external error_handlers
try:
err_handlers_plugin = importlib.import_module(
'treadmill.plugins.rest.error_handlers')
err_handlers_plugin.init(api)
except ImportError as err:
_LOGGER.warn('Unable to load error_handlers plugin: %s', err)
@blueprint.route('/docs/', endpoint='docs')
def _swagger_ui():
"""Swagger documentation route"""
return restplus.apidoc.ui_for(api)
rest.FLASK_APP.register_blueprint(blueprint)
rest.FLASK_APP.register_blueprint(restplus.apidoc.apidoc)
cors = webutils.cors(origin=cors_origin,
content_type='application/json',
credentials=True)
@rest.FLASK_APP.after_request
def _after_request_cors_handler(response):
"""Process all OPTIONS request, thus don't need to add to each app"""
if flask.request.method != 'OPTIONS':
return response
_LOGGER.debug('This is an OPTIONS call')
def _noop_options():
"""No noop response handler for all OPTIONS"""
pass
headers = flask.request.headers.get('Access-Control-Request-Headers')
options_cors = webutils.cors(origin=cors_origin,
credentials=True,
headers=headers)
response = options_cors(_noop_options)()
return response
def user_clbk():
"""Get current user from the request."""
return flask.request.environ.get('REMOTE_USER')
if authz_arg is None:
authorizer = authz.NullAuthorizer()
else:
authorizer = authz.ClientAuthorizer(user_clbk, authz_arg)
endpoints = []
for apiname in apis:
try:
apimod = apiname.replace('-', '_')
_LOGGER.info('Loading api: %s', apimod)
api_restmod = importlib.import_module('.'.join(
['treadmill', 'rest', 'api', apimod]))
api_implmod = importlib.import_module('.'.join(
['treadmill', 'api', apimod]))
api_impl = api_implmod.init(authorizer)
endpoint = api_restmod.init(api, cors, api_impl)
if endpoint is None:
endpoint = apiname.replace('_', '-').replace('.', '/')
if not endpoint.startswith('/'):
endpoint = '/' + endpoint
endpoints.append(endpoint)
except ImportError as err:
_LOGGER.warn('Unable to load %s api: %s', apimod, err)
return endpoints