def test_has_access_top_secret(self):
user_accesses_json = json.dumps(
{
"clearances": ["UNCLASSIFIED", "CONFIDENTIAL", "SECRET", "TOP SECRET"],
"formal_accesses": ["FOUO", "ABC"],
"visas": [],
}
)
marking = "UNCLASSIFIED//FOUO//ABC"
self.assertTrue(access_control.has_access(user_accesses_json, marking))
marking = "CONFIDENTIAL//FOUO//ABC"
self.assertTrue(access_control.has_access(user_accesses_json, marking))
marking = "SECRET//FOUO//ABC"
self.assertTrue(access_control.has_access(user_accesses_json, marking))
marking = "TOP SECRET//FOUO//ABC"
self.assertTrue(access_control.has_access(user_accesses_json, marking))
user_accesses_json = json.dumps(
{"clearances": ["UNCLASSIFIED", "CONFIDENTIAL", "SECRET", "TOP SECRET"], "formal_accesses": [], "visas": []}
)
marking = "TOP SECRET"
self.assertTrue(access_control.has_access(user_accesses_json, marking))
user_accesses_json = json.dumps(
{
"clearances": ["UNCLASSIFIED", "CONFIDENTIAL", "SECRET", "TOP SECRET"],
"formal_accesses": ["FOUO", "ABC"],
"visas": [],
}
)
marking = "SECRET//FOUO//ABC/XYZ"
self.assertFalse(access_control.has_access(user_accesses_json, marking))
marking = "UNCLASSIFIED//FOUO//ABC/XYZ"
self.assertFalse(access_control.has_access(user_accesses_json, marking))
marking = "INVALID LEVEL"
self.assertFalse(access_control.has_access(user_accesses_json, marking))
def get_all_listings_for_profile_by_id(current_request_username, profile_id, listing_id = None):
try:
if profile_id == 'self':
profile_instance = models.Profile.objects.get(user__username=current_request_username).user
else:
profile_instance = models.Profile.objects.get(id=profile_id).user
except models.Profile.DoesNotExist:
return None
try:
listings = models.Listing.objects.filter(owners__id=profile_instance.id)
listings = listings.exclude(is_private=True)
current_profile_instance = models.Profile.objects.get(user__username=current_request_username)
# filter out listings by user's access level
titles_to_exclude = []
for i in listings:
if not i.security_marking:
logger.debug('Listing %s has no security_marking' % i.title)
if not access_control.has_access(current_profile_instance.access_control, i.security_marking):
titles_to_exclude.append(i.title)
listings = listings.exclude(title__in=titles_to_exclude) #TODO: Base it on ids
if listing_id:
filtered_listing= listings.get(id=listing_id)
else:
filtered_listing = listings.all()
return filtered_listing
except models.Listing.DoesNotExist:
return None
def for_user(self, username):
# get all listings
objects = super(AccessControlListingManager, self).get_queryset()
# filter out private listings
user = Profile.objects.get(user__username=username)
if user.highest_role() == 'APPS_MALL_STEWARD':
exclude_orgs = []
elif user.highest_role() == 'ORG_STEWARD':
user_orgs = user.stewarded_organizations.all()
user_orgs = [i.title for i in user_orgs]
exclude_orgs = Agency.objects.exclude(title__in=user_orgs)
else:
user_orgs = user.organizations.all()
user_orgs = [i.title for i in user_orgs]
exclude_orgs = Agency.objects.exclude(title__in=user_orgs)
objects = objects.exclude(is_private=True,
agency__in=exclude_orgs)
# filter out listings by user's access level
titles_to_exclude = []
for i in objects:
if not i.security_marking:
logger.debug('Listing %s has no security_marking' % i.title)
if not access_control.has_access(user.access_control, i.security_marking):
titles_to_exclude.append(i.title)
objects = objects.exclude(title__in=titles_to_exclude)
return objects
def validate_security_marking(self, value):
# don't allow user to select a security marking that is above
# their own access level
user = generic_model_access.get_profile(
self.context['request'].user.username)
if value:
if not access_control.has_access(user.access_control, value):
raise serializers.ValidationError(
'Security marking too high for current user')
return value
def for_user(self, username):
# get all images
objects = super(AccessControlImageManager, self).get_queryset()
user = Profile.objects.get(user__username=username)
# filter out listings by user's access level
images_to_exclude = []
for i in objects:
if not access_control.has_access(user.access_control, i.security_marking):
images_to_exclude.append(i.id)
objects = objects.exclude(id__in=images_to_exclude)
return objects
def retrieve(self, request, pk=None):
"""
Return an image, enforcing access control
"""
queryset = self.get_queryset()
image = get_object_or_404(queryset, pk=pk)
image_path = model_access.get_image_path(pk)
# enforce access control
user = generic_model_access.get_profile(self.request.user.username)
if not access_control.has_access(user.access_control,
image.security_marking):
return Response(status=status.HTTP_403_FORBIDDEN)
content_type = 'image/' + image.file_extension
try:
with open(image_path, 'rb') as f:
return HttpResponse(f.read(), content_type=content_type)
except IOError:
logger.error('No image found for pk %d' % pk)
return Response(status=status.HTTP_404_NOT_FOUND)
def for_user(self, username):
# get all listings
objects = super(AccessControlListingManager, self).get_queryset()
# filter out private listings
user = Profile.objects.get(user__username=username)
user_orgs = user.organizations.all()
user_orgs = [i.title for i in user_orgs]
# get all agencies for which this user is not a member
exclude_orgs = Agency.objects.exclude(title__in=user_orgs)
objects = objects.exclude(is_private=True,
agency__in=exclude_orgs)
# filter out listings by user's access level
titles_to_exclude=[]
for i in objects:
if not i.security_marking:
logger.error('Listing %s has no security_marking' % i.title)
if not access_control.has_access(user.access_control, i.security_marking):
titles_to_exclude.append(i.title)
objects = objects.exclude(title__in=titles_to_exclude)
return objects