def test_grantable_permissions(session, standard_graph, users, groups, grantable_permissions): perm_grant, perm0, perm1, _ = grantable_permissions assert not user_grantable_permissions(session, users["*****@*****.**"]), "start with none" grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one") assert not user_grantable_permissions(session, users["*****@*****.**"]), "grant on non-existent is fine" grant_permission(groups["auditors"], perm_grant, argument=perm0.name) grants = user_grantable_permissions(session, users["*****@*****.**"]) assert len(grants) == 1, "only specific permission grant" assert grants[0][0].name == perm0.name, "only specific permission grant" grant_permission(groups["auditors"], perm_grant, argument="grantable.*") grants = user_grantable_permissions(session, users["*****@*****.**"]) assert len(grants) == 3, "wildcard grant should grab appropriat amount" assert sorted([x[0].name for x in grants]) == ["grantable", "grantable.one", "grantable.two"] args_by_perm = get_grantable_permissions(session, None) assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected in list of grantable" grant_permission(groups["auditors"], perm_grant, argument="{}/single_arg".format(perm1.name)) args_by_perm = get_grantable_permissions(session, None) assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected cause no restricted perms" args_by_perm = get_grantable_permissions(session, [perm1.name]) assert args_by_perm[perm1.name] == ["single_arg"], "least permissive argument shown cause of restricted perms"
def test_grantable_permissions( session, standard_graph, users, groups, grantable_permissions # noqa: F811 ): perm_grant, perm0, perm1, _ = grantable_permissions assert not user_grantable_permissions(session, users["*****@*****.**"]), "start with none" grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one") assert not user_grantable_permissions( session, users["*****@*****.**"] ), "grant on non-existent is fine" grant_permission(groups["auditors"], perm_grant, argument=perm0.name) grants = user_grantable_permissions(session, users["*****@*****.**"]) assert len(grants) == 1, "only specific permission grant" assert grants[0][0].name == perm0.name, "only specific permission grant" grant_permission(groups["auditors"], perm_grant, argument="grantable.*") grants = user_grantable_permissions(session, users["*****@*****.**"]) assert len(grants) == 3, "wildcard grant should grab appropriat amount" assert sorted([x[0].name for x in grants]) == ["grantable", "grantable.one", "grantable.two"] args_by_perm = get_grantable_permissions(session, None) assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected in list of grantable" grant_permission(groups["auditors"], perm_grant, argument="{}/single_arg".format(perm1.name)) args_by_perm = get_grantable_permissions(session, None) assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected cause no restricted perms" args_by_perm = get_grantable_permissions(session, [perm1.name]) assert args_by_perm[perm1.name] == [ "single_arg" ], "least permissive argument shown cause of restricted perms"
def get(self, *args, **kwargs): # type: (*Any, **Any) -> None group_id = kwargs.get("group_id") # type: Optional[int] name = kwargs.get("name") # type: Optional[str] group = Group.get(self.session, group_id, name) if not group: return self.notfound() # Only members can request permissions if not self.current_user.is_member(group.my_members()): return self.forbidden() args_by_perm = get_grantable_permissions( self.session, settings().restricted_ownership_permissions ) dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm, None) self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), dropdown_help=settings().permission_request_dropdown_help, text_help=settings().permission_request_text_help, )
def get(self, *args, **kwargs): # type: (*Any, **Any) -> None group_id = kwargs.get("group_id") # type: Optional[int] name = kwargs.get("name") # type: Optional[str] group = Group.get(self.session, group_id, name) if not group: return self.notfound() # Only members can request permissions if not self.current_user.is_member(group.my_members()): return self.forbidden() args_by_perm = get_grantable_permissions( self.session, settings().restricted_ownership_permissions) dropdown_form, text_form = GroupPermissionRequest._get_forms( args_by_perm, None) self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), dropdown_help=settings().permission_request_dropdown_help, text_help=settings().permission_request_text_help, )
def _build_form(self, data): # type: (Optional[int]) -> Tuple[PermissionRequestForm, Dict[str, List[str]]] """Build the permission request form given the request and POST data. Normally all fields of the form will be editable. But if the URL locks down a specific value for the group, permission, or argument, then the specified fields will display those values and will be grayed out and not editable. """ session = self.session current_user = self.current_user def pairs(seq): # type: (Iterable[str]) -> List[Tuple[str, str]] return [(item, item) for item in seq] form = PermissionRequestForm(data) group_names = { g.groupname for g, e in get_groups_by_user(session, current_user) } args_by_perm = get_grantable_permissions( session, settings().restricted_ownership_permissions) permission_names = {p for p in args_by_perm} group_param = self.get_argument("group", None) if group_param is not None: if group_param not in group_names: raise HTTPError( status_code=404, reason="the group name in the URL is not one you belong to" ) form.group_name.choices = pairs([group_param]) form.group_name.render_kw = {"readonly": "readonly"} form.group_name.data = group_param else: form.group_name.choices = pairs([""] + sorted(group_names)) permission_param = self.get_argument("permission", None) if permission_param is not None: if permission_param not in permission_names: raise HTTPError( status_code=404, reason="an unrecognized permission is specified in the URL" ) form.permission.choices = pairs([permission_param]) form.permission.render_kw = {"readonly": "readonly"} form.permission.data = permission_param else: form.permission.choices = pairs(sorted(permission_names)) argument_param = self.get_argument("argument", "") if argument_param: form.argument.render_kw = {"readonly": "readonly"} form.argument.data = argument_param return form, args_by_perm
def _build_form(self, data): # type: (Optional[int]) -> Tuple[PermissionRequestForm, Dict[Permission, List[str]]] """Build the permission request form given the request and POST data. Normally all fields of the form will be editable. But if the URL locks down a specific value for the group, permission, or argument, then the specified fields will display those values and will be grayed out and not editable. """ session = self.session current_user = self.current_user def pairs(seq): # type: (Iterable[str]) -> List[Tuple[str, str]] return [(item, item) for item in seq] form = PermissionRequestForm(data) group_names = {g.groupname for g, e in get_groups_by_user(session, current_user)} args_by_perm = get_grantable_permissions( session, settings().restricted_ownership_permissions ) permission_names = {p for p in args_by_perm} group_param = self.get_argument("group", None) if group_param is not None: if group_param not in group_names: raise HTTPError( status_code=404, reason="the group name in the URL is not one you belong to" ) form.group_name.choices = pairs([group_param]) form.group_name.render_kw = {"readonly": "readonly"} else: form.group_name.choices = pairs([""] + sorted(group_names)) permission_param = self.get_argument("permission", None) if permission_param is not None: if permission_param not in permission_names: raise HTTPError( status_code=404, reason="an unrecognized permission is specified in the URL" ) form.permission_name.choices = pairs([permission_param]) form.permission_name.render_kw = {"readonly": "readonly"} else: form.permission_name.choices = pairs([""] + sorted(permission_names)) argument_param = self.get_argument("argument", "") if argument_param: form.argument.render_kw = {"readonly": "readonly"} form.argument.data = argument_param return form, args_by_perm
def get(self, group_id=None, name=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() args_by_perm = get_grantable_permissions(self.session, settings.restricted_ownership_permissions) dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm, None) self.render("group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), dropdown_help=settings.permission_request_dropdown_help, text_help=settings.permission_request_text_help)
def get(self, group_id=None, name=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() # Only members can request permissions if not self.current_user.is_member(group.my_members()): return self.forbidden() args_by_perm = get_grantable_permissions( self.session, settings.restricted_ownership_permissions) dropdown_form, text_form = GroupPermissionRequest._get_forms( args_by_perm, None) self.render("group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), dropdown_help=settings.permission_request_dropdown_help, text_help=settings.permission_request_text_help)
def post(self, group_id=None, name=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() # only owner of group can request permissions for that group role_index = self.current_user.my_role_index(group.my_members()) if role_index not in OWNER_ROLE_INDICES: return self.forbidden() # check inputs args_by_perm = get_grantable_permissions(self.session, settings.restricted_ownership_permissions) dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm, self.request.arguments) argument_type = self.request.arguments.get("argument_type") if argument_type and argument_type[0] == "text": form = text_form elif argument_type and argument_type[0] == "dropdown": form = dropdown_form form.argument.choices = [(a, a) for a in args_by_perm[form.permission_name.data]] else: # someone messing with the form self.log_message("unknown argument type", group_name=group.name, argument_type=argument_type) return self.forbidden() if not form.validate(): return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=self.get_form_alerts(form.errors), dropdown_help=settings.permission_request_dropdown_help, text_help=settings.permission_request_text_help, ) permission = Permission.get(self.session, form.permission_name.data) assert permission is not None, "our prefilled permission should exist or we have problems" # save off request try: permissions.create_request(self.session, self.current_user, group, permission, form.argument.data, form.reason.data) except permissions.RequestAlreadyGranted: alerts = [Alert("danger", "This group already has this permission and argument.")] except permissions.RequestAlreadyExists: alerts = [Alert("danger", "Request for permission and argument already exists, please wait patiently.")] except permissions.NoOwnersAvailable: self.log_message("prefilled perm+arg have no owner", group_name=group.name, permission_name=permission.name, argument=form.argument.data) alerts = [Alert("danger", "No owners available for requested permission and argument." " If this error persists please contact an adminstrator.")] else: alerts = None if alerts: return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=alerts, ) else: return self.redirect("/groups/{}".format(group.name))
def post(self, group_id=None, name=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() # Only members can request permissions if not self.current_user.is_member(group.my_members()): return self.forbidden() # check inputs args_by_perm = get_grantable_permissions( self.session, settings.restricted_ownership_permissions) dropdown_form, text_form = GroupPermissionRequest._get_forms( args_by_perm, self.request.arguments) argument_type = self.request.arguments.get("argument_type") if argument_type and argument_type[0] == "text": form = text_form elif argument_type and argument_type[0] == "dropdown": form = dropdown_form form.argument.choices = [ (a, a) for a in args_by_perm[form.permission_name.data] ] else: # someone messing with the form self.log_message("unknown argument type", group_name=group.name, argument_type=argument_type) return self.forbidden() if not form.validate(): return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=self.get_form_alerts(form.errors), dropdown_help=settings.permission_request_dropdown_help, text_help=settings.permission_request_text_help, ) permission = Permission.get(self.session, form.permission_name.data) assert permission is not None, "our prefilled permission should exist or we have problems" # save off request try: request = permissions.create_request(self.session, self.current_user, group, permission, form.argument.data, form.reason.data) except permissions.RequestAlreadyGranted: alerts = [ Alert("danger", "This group already has this permission and argument.") ] except permissions.RequestAlreadyExists: alerts = [ Alert( "danger", "Request for permission and argument already exists, please wait patiently." ) ] except permissions.NoOwnersAvailable: self.log_message("prefilled perm+arg have no owner", group_name=group.name, permission_name=permission.name, argument=form.argument.data) alerts = [ Alert( "danger", "No owners available for requested permission and argument." " If this error persists please contact an adminstrator.") ] else: alerts = None if alerts: return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=alerts, ) else: return self.redirect("/permissions/requests/{}".format(request.id))
def test_exclude_disabled_permissions( session, standard_graph, graph, users, groups, permissions # noqa: F811 ): """ Ensure that disabled permissions are excluded from various functions/methods that return data from the models. """ perm_ssh = get_permission(session, "ssh") perm_grant = create_permission(session, PERMISSION_GRANT) session.commit() # this user has grouper.permission.grant with argument "ssh/*" grant_permission(groups["group-admins"], perm_grant, argument="ssh/*") graph.update_from_db(session) grant_perms = [ x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT ] assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name assert "ssh" in (p.name for p in get_all_permissions(session)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True)) assert "ssh" in get_grantable_permissions(session, []) assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)] assert get_owner_arg_list(session, perm_ssh, "*") assert "ssh" in get_owners_by_grantable_permission(session) assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])) assert user_has_permission(session, users["*****@*****.**"], "ssh") assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"])) assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"]) assert "ssh" in (pt.name for pt in graph.get_permissions()) assert "team-sre" in graph.get_permission_details("ssh")["groups"] assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]) # now disable the ssh permission disable_permission(session, "ssh", users["*****@*****.**"].id) graph.update_from_db(session) grant_perms = [ x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT ] assert not filter_grantable_permissions(session, grant_perms) assert "ssh" not in (p.name for p in get_all_permissions(session)) assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False)) assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True)) assert "ssh" not in get_grantable_permissions(session, []) assert not get_groups_by_permission(session, perm_ssh) assert not get_owner_arg_list(session, perm_ssh, "*") assert "ssh" not in get_owners_by_grantable_permission(session) assert "ssh" not in ( x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]) ) assert not user_has_permission(session, users["*****@*****.**"], "ssh") assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"])) assert "ssh" not in ( p["permission"] for p in graph.get_group_details("team-sre")["permissions"] ) assert "ssh" not in (pt.name for pt in graph.get_permissions()) assert not graph.get_permission_details("ssh")["groups"] assert "ssh" not in ( p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"] )
def post(self, *args, **kwargs): # type: (*Any, **Any) -> None group_id = kwargs.get("group_id") # type: Optional[int] name = kwargs.get("name") # type: Optional[str] group = Group.get(self.session, group_id, name) if not group: return self.notfound() # Only members can request permissions if not self.current_user.is_member(group.my_members()): return self.forbidden() # check inputs args_by_perm = get_grantable_permissions( self.session, settings().restricted_ownership_permissions ) dropdown_form, text_form = GroupPermissionRequest._get_forms( args_by_perm, self.request.arguments ) argument_type = self.request.arguments.get("argument_type") if argument_type and argument_type[0].decode() == "text": form = text_form elif argument_type and argument_type[0].decode() == "dropdown": form = dropdown_form form.argument.choices = [(a, a) for a in args_by_perm[form.permission_name.data]] else: # someone messing with the form self.log_message( "unknown argument type", group_name=group.name, argument_type=argument_type ) return self.forbidden() if not form.validate(): return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=self.get_form_alerts(form.errors), dropdown_help=settings().permission_request_dropdown_help, text_help=settings().permission_request_text_help, ) permission = get_permission(self.session, form.permission_name.data) assert permission is not None, "our prefilled permission should exist or we have problems" # save off request try: request = permissions.create_request( self.session, self.current_user, group, permission, form.argument.data, form.reason.data, ) except permissions.RequestAlreadyGranted: alerts = [Alert("danger", "This group already has this permission and argument.")] except permissions.RequestAlreadyExists: alerts = [ Alert( "danger", "Request for permission and argument already exists, please wait patiently.", ) ] except permissions.NoOwnersAvailable: self.log_message( "prefilled perm+arg have no owner", group_name=group.name, permission_name=permission.name, argument=form.argument.data, ) alerts = [ Alert( "danger", "No owners available for requested permission and argument." " If this error persists please contact an adminstrator.", ) ] except UserNotAuditor as e: alerts = [Alert("danger", str(e))] else: alerts = [] if alerts: return self.render( "group-permission-request.html", dropdown_form=dropdown_form, text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm), alerts=alerts, ) else: return self.redirect("/permissions/requests/{}".format(request.id))