def _decorator(self, *args, **kwargs):
if not any([
name == AUDIT_SECURITY and argument == perm_arg
for name, argument, _, _ in user_permissions(
self.session, self.current_user)
]):
return self.forbidden()
return f(self, *args, **kwargs)
def _decorator(self, *args, **kwargs):
if not any(
[
name == AUDIT_SECURITY and argument == perm_arg
for name, argument, _, _ in user_permissions(self.session, self.current_user)
]
):
return self.forbidden()
return f(self, *args, **kwargs)
def _decorator(self: GrouperHandler, *args: Any,
**kwargs: Any) -> None:
if not any([
name == AUDIT_SECURITY and argument == perm_arg
for name, argument, _, _ in user_permissions(
self.session, self.current_user)
]):
return self.forbidden()
f(self, *args, **kwargs)
def _decorator(self, *args, **kwargs):
# type: (GrouperHandler, *Any, **Any) -> None
if not any(
[
name == AUDIT_SECURITY and argument == perm_arg
for name, argument, _, _ in user_permissions(self.session, self.current_user)
]
):
return self.forbidden()
f(self, *args, **kwargs)
def test_permissions(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "prod"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
def test_tags(session, users, http_client, base_url, graph):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
grant_permission_to_tag(session, tag.id, perm.id, "prod")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, key1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def get_public_key_permissions(session, public_key):
# type: (Session, PublicKey) -> List[Permission]
"""Returns the permissions that this public key has. Namely, this the set of permissions
that the public key's owner has, intersected with the permissions allowed by this key's
tags
Returns:
a list of all permissions this public key has
"""
# TODO: Fix circular dependency
from grouper.permissions import permission_intersection
my_perms = user_permissions(session, public_key.user)
for tag in get_public_key_tags(session, public_key):
my_perms = permission_intersection(
my_perms, get_public_key_tag_permissions(session, tag))
return list(my_perms)
def get_public_key_permissions(session, public_key):
# type: (Session, PublicKey) -> List[Permission]
"""Returns the permissions that this public key has. Namely, this the set of permissions
that the public key's owner has, intersected with the permissions allowed by this key's
tags
Returns:
a list of all permissions this public key has
"""
# TODO: Fix circular dependency
from grouper.permissions import permission_intersection
my_perms = user_permissions(session, public_key.user)
for tag in get_public_key_tags(session, public_key):
my_perms = permission_intersection(my_perms,
get_public_key_tag_permissions(session, tag))
return list(my_perms)
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter",
description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(
name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(
session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(
session,
key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(
session, key
)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(
session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key[
'fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key[
'fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][
0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_permissions(users, http_client, base_url, session): # noqa: F811
user = session.query(User).filter_by(username="******").scalar()
create_permission(session, TAG_EDIT)
session.commit()
create_permission(session, "it.literally.does.not.matter")
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, "it.literally.does.not.matter"),
"*",
)
fe_url = url(base_url, "/tags")
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={"X-Grouper-User": user.username},
)
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/permissions/grant_tag/{}".format(tag.name))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"permission": TAG_EDIT, "argument": "prod"}),
headers={"X-Grouper-User": user.username},
)
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, "/users/{}/public-key/{}/tag".format(user.username, key.id))
yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"tagname": "tyler_was_here"}),
headers={"X-Grouper-User": user.username},
)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert (
len(get_public_key_permissions(session, key)) == 1
), "The SSH Key should have only 1 permission"
assert (
get_public_key_permissions(session, key)[0].name == TAG_EDIT
), "The SSH key's permission should be TAG_EDIT"
assert (
get_public_key_permissions(session, key)[0].argument == "prod"
), "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
def test_permissions(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm = Permission(name="it.literally.does.not.matter",
description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
session.query(Permission).filter_by(
name="it.literally.does.not.matter").scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'tagname':
"tyler_was_here",
"description":
"Test Tag Please Ignore"
}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'permission': TAG_EDIT,
"argument": "prod"
}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url,
'/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode(
{'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(
session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(
session,
key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(
session, key
)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(
session, user)) > 1, "The user should have more than 1 permission"
def test_exclude_disabled_permissions(
session, standard_graph, graph, users, groups, permissions # noqa: F811
):
"""
Ensure that disabled permissions are excluded from various
functions/methods that return data from the models.
"""
perm_ssh = get_permission(session, "ssh")
perm_grant = create_permission(session, PERMISSION_GRANT)
session.commit()
# this user has grouper.permission.grant with argument "ssh/*"
grant_permission(groups["group-admins"], perm_grant, argument="ssh/*")
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name
assert "ssh" in (p.name for p in get_all_permissions(session))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" in get_grantable_permissions(session, [])
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)]
assert get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" in get_owners_by_grantable_permission(session)
assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]))
assert user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"])
assert "ssh" in (pt.name for pt in graph.get_permissions())
assert "team-sre" in graph.get_permission_details("ssh")["groups"]
assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"])
# now disable the ssh permission
disable_permission(session, "ssh", users["*****@*****.**"].id)
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert not filter_grantable_permissions(session, grant_perms)
assert "ssh" not in (p.name for p in get_all_permissions(session))
assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" not in get_grantable_permissions(session, [])
assert not get_groups_by_permission(session, perm_ssh)
assert not get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" not in get_owners_by_grantable_permission(session)
assert "ssh" not in (
x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])
)
assert not user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" not in (
p["permission"] for p in graph.get_group_details("team-sre")["permissions"]
)
assert "ssh" not in (pt.name for pt in graph.get_permissions())
assert not graph.get_permission_details("ssh")["groups"]
assert "ssh" not in (
p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]
)
def test_tags(session, http_client, base_url, graph): # noqa: F811
perm = create_permission(session, TAG_EDIT)
session.commit()
create_permission(session, "it.literally.does.not.matter")
session.commit()
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, TAG_EDIT),
"*",
)
grant_permission(
session.query(Group).filter_by(groupname="all-teams").scalar(),
get_permission(session, "it.literally.does.not.matter"),
"*",
)
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert (
len(get_public_key_permissions(session, key)) == 1
), "The SSH Key should have only 1 permission"
assert (
get_public_key_permissions(session, key)[0].name == TAG_EDIT
), "The SSH key's permission should be TAG_EDIT"
assert (
get_public_key_permissions(session, key)[0].argument == "prod"
), "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body["data"]["user"]["public_keys"][0]
assert len(pub_key["tags"]) == 1, "The public key should only have 1 tag"
assert pub_key["fingerprint"] == "e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35"
assert pub_key["fingerprint_sha256"] == "MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU"
assert pub_key["tags"][0] == "tyler_was_here", "The public key should have the tag we gave it"
