Пример #1
0
    def add_permissions_to_role(self, role_id, resource, operations):
        """
        Add permissions to a role. 

        @type role_id: str
        @param role_id: role identifier
        
        @type resource: str
        @param resource: resource path to grant permissions to
        
        @type operations: list of allowed operations being granted
        @param operations: list or tuple

        @raise MissingResource: if the given role does not exist
        """
        if role_id == self.super_user_role:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        current_ops = role['permissions'].setdefault(resource, [])
        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            factory.permission_manager().grant(resource, user['login'],
                                               operations)

        Role.get_collection().save(role, safe=True)
Пример #2
0
    def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise MissingResource: if the given role does not exist
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        current_ops = role['permissions'].setdefault(resource, [])
        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            factory.permission_manager().grant(resource, user['login'], operations)

        Role.get_collection().save(role, safe=True)
Пример #3
0
    def update_role(role_id, delta):
        """
        Updates a role object.

        :param role_id:           The role identifier.
        :type  role_id:           str
        :param delta:             A dict containing update keywords.
        :type  delta:             dict
        :return:                  The updated object
        :rtype:                   dict
        :raise MissingResource:   if the given role does not exist
        :raise PulpDataException: if update keyword  is not supported
        """
        delta.pop('id', None)

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        for key, value in delta.items():
            # simple changes
            if key in ('display_name', 'description',):
                role[key] = value
                continue

            # unsupported
            raise PulpDataException(_("Update Keyword [%s] is not supported" % key))

        Role.get_collection().save(role, safe=True)

        # Retrieve the user to return the SON object
        updated = Role.get_collection().find_one({'id': role_id})
        return updated
Пример #4
0
Файл: cud.py Проект: beav/pulp 
    def create_role(role_id, display_name=None, description=None):
        """
        Creates a new Pulp role.

        :param role_id:           unique identifier for the role
        :type  role_id:           str
        :param display_name:      user-readable name of the role
        :type  display_name:      str
        :param description:       free form text used to describe the role
        :type  description:       str
        :raise DuplicateResource: if there is already a role with the requested name
        :raise InvalidValue:      if any of the fields are unacceptable
        """
        existing_role = Role.get_collection().find_one({'id': role_id})
        if existing_role is not None:
            raise DuplicateResource(role_id)

        if role_id is None or _ROLE_NAME_REGEX.match(role_id) is None:
            raise InvalidValue(['role_id'])

        # Use the ID for the display name if one was not specified
        display_name = display_name or role_id

        # Creation
        create_me = Role(id=role_id,
                         display_name=display_name,
                         description=description)
        Role.get_collection().save(create_me, safe=True)

        # Retrieve the role to return the SON object
        created = Role.get_collection().find_one({'id': role_id})

        return created
Пример #5
0
Файл: cud.py Проект: nbetm/pulp 
    def create_role(role_id, display_name=None, description=None):
        """
        Creates a new Pulp role.

        :param role_id:           unique identifier for the role
        :type  role_id:           str
        :param display_name:      user-readable name of the role
        :type  display_name:      str
        :param description:       free form text used to describe the role
        :type  description:       str
        :raise DuplicateResource: if there is already a role with the requested name
        :raise InvalidValue:      if any of the fields are unacceptable

        :return: The created object
        :rtype: dict
        """
        existing_role = Role.get_collection().find_one({'id': role_id})
        if existing_role is not None:
            raise DuplicateResource(role_id)

        if role_id is None or _ROLE_NAME_REGEX.match(role_id) is None:
            raise InvalidValue(['role_id'])

        # Use the ID for the display name if one was not specified
        display_name = display_name or role_id

        # Creation
        create_me = Role(id=role_id, display_name=display_name, description=description)
        Role.get_collection().save(create_me, safe=True)

        # Retrieve the role to return the SON object
        created = Role.get_collection().find_one({'id': role_id})

        return created
Пример #6
0
Файл: cud.py Проект: bartwo/pulp 
 def ensure_super_user_role(self):
     """
     Ensure that the super user role exists.
     """
     role = Role.get_collection().find_one({'id' : self.super_user_role})
     if role is None:
         role = self.create_role(self.super_user_role, 'Super Users', 'Role indicates users with admin privileges')
         pm = factory.permission_manager()
         role['permissions'] = {'/':[pm.CREATE, pm.READ, pm.UPDATE, pm.DELETE, pm.EXECUTE]}
         Role.get_collection().save(role, safe=True)
Пример #7
0
 def ensure_super_user_role(self):
     """
     Ensure that the super user role exists.
     """
     role = self.get_role(SUPER_USER_ROLE)
     if role is None:
         role = self.create_role(SUPER_USER_ROLE, 'Super Users',
                                 'Role indicates users with admin privileges')
         role['permissions'] = {'/': [CREATE, READ, UPDATE, DELETE, EXECUTE]}
         Role.get_collection().save(role, safe=True)
Пример #8
0
 def ensure_super_user_role(self):
     """
     Ensure that the super user role exists.
     """
     role = self.get_role(SUPER_USER_ROLE)
     if role is None:
         role = self.create_role(SUPER_USER_ROLE, 'Super Users',
                                 'Role indicates users with admin privileges')
         role['permissions'] = [{'resource': '/',
                                 'permission': [CREATE, READ, UPDATE, DELETE, EXECUTE]}]
         Role.get_collection().save(role)
Пример #9
0
 def ensure_super_user_role(self):
     """
     Ensure that the super user role exists.
     """
     role = Role.get_collection().find_one({'id': SUPER_USER_ROLE})
     if role is None:
         role = self.create_role(
             SUPER_USER_ROLE, 'Super Users',
             'Role indicates users with admin privileges')
         role['permissions'] = {
             '/': [CREATE, READ, UPDATE, DELETE, EXECUTE]
         }
         Role.get_collection().save(role, safe=True)
Пример #10
0
 def ensure_super_user_role(self):
     """
     Ensure that the super user role exists.
     """
     role = Role.get_collection().find_one({'id': self.super_user_role})
     if role is None:
         role = self.create_role(
             self.super_user_role, 'Super Users',
             'Role indicates users with admin privileges')
         pm = factory.permission_manager()
         role['permissions'] = {
             '/': [pm.CREATE, pm.READ, pm.UPDATE, pm.DELETE, pm.EXECUTE]
         }
         Role.get_collection().save(role, safe=True)
Пример #11
0
    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, user['login'],
                                                user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role, safe=True)
Пример #12
0
    def test_put(self):
        """
        Tests using put to update a role.
        """

        # Setup
        self.role_manager.create_role('role-1', display_name='original name')

        req_body = {
            'delta': {
                'display_name': 'new name',
                'description': 'new description'
            }
        }

        # Test
        status, body = self.put('/v2/roles/role-1/', params=req_body)

        # Verify
        self.assertEqual(200, status)

        self.assertEqual(body['display_name'],
                         req_body['delta']['display_name'])

        role = Role.get_collection().find_one({'id': 'role-1'})
        self.assertEqual(role['display_name'],
                         req_body['delta']['display_name'])
        self.assertEqual(role['description'], req_body['delta']['description'])
Пример #13
0
    def remove_user_from_role(role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           name of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = model.User.objects.get_or_404(login=login)

        if role_id == SUPER_USER_ROLE and user_controller.is_last_super_user(login):
            raise PulpDataException(
                _('%(role)s cannot be empty, and %(login)s is the last member') %
                {'role': SUPER_USER_ROLE, 'login': login})

        if role_id not in user.roles:
            return

        user.roles.remove(role_id)
        user.save()

        for item in role['permissions']:
            other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
            user_ops = _operations_not_granted_by_roles(item['resource'],
                                                        item['permission'],
                                                        other_roles)
            factory.permission_manager().revoke(item['resource'], login, user_ops)
Пример #14
0
Файл: cud.py Проект: nbetm/pulp 
    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role does not exist
        :raise InvalidValue: if some params are invalid
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for item in role['permissions']:
            factory.permission_manager().grant(item['resource'], login,
                                               item.get('permission', []))
Пример #15
0
    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            factory.permission_manager().grant(resource, login, operations)
Пример #16
0
Файл: cud.py Проект: beav/pulp 
    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for item in role['permissions']:
            factory.permission_manager().grant(item['resource'], login,
                                               item.get('permission', []))
Пример #17
0
    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role does not exist
        :raise InvalidValue: if some params are invalid
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = model.User.objects(login=login).first()
        if user is None:
            raise InvalidValue(['login'])

        if role_id in user.roles:
            return

        user.roles.append(role_id)
        user.save()
        for item in role['permissions']:
            factory.permission_manager().grant(item['resource'], login,
                                               item.get('permission', []))
Пример #18
0
    def add_user_to_role(self, role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.
        
        @type role_id: str
        @param role_id: role identifier
        
        @type login: str
        @param login: login of user
        
        @rtype: bool
        @return: True on success
        
        @raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            factory.permission_manager().grant(resource, login, operations)
Пример #19
0
Файл: cud.py Проект: nbetm/pulp 
    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, user['login'], user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role, safe=True)
Пример #20
0
    def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])
        if not role['permissions']:
            role['permissions'] = []

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not resource_permission:
            resource_permission = dict(resource=resource,
                                       permission=current_ops)
            role['permissions'].append(resource_permission)

        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            factory.permission_manager().grant(resource, user['login'],
                                               operations)

        Role.get_collection().save(role, safe=True)
Пример #21
0
    def remove_permissions_from_role(self, role_id, resource, operations):
        """
        Remove permissions from a role. 
        
        @type role_id: str
        @param role_id: role identifier
    
        @type resource: str
        @param resource: resource path to revoke permissions from
        
        @type operations: list of allowed operations being revoked
        @param operations: list or tuple
        
        @raise MissingResource: if the given role does not exist
        """
        if role_id == self.super_user_role:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        current_ops = role['permissions'].get(resource, [])
        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, user['login'],
                                                user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            del role['permissions'][resource]

        Role.get_collection().save(role, safe=True)
Пример #22
0
Файл: query.py Проект: omps/pulp 
    def find_all(self):
        """
        Returns serialized versions of all role in the database.

        @return: list of serialized roles
        @rtype:  list of dict
        """
        all_roles = list(Role.get_collection().find())
        return all_roles
Пример #23
0
def _validate_role():
    """
    Validate the Role model
    @rtype: int
    @return: number of errors found during validation
    """
    objectdb = Role.get_collection()
    reference = Role(u'')
    return _validate_model(Role.__name__, objectdb, reference)
Пример #24
0
    def find_all(self):
        """
        Returns serialized versions of all role in the database.

        @return: list of serialized roles
        @rtype:  list of dict
        """
        all_roles = list(Role.get_collection().find())
        return all_roles
Пример #25
0
    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)

        for item in role['permissions']:
            for user in users:
                other_roles = factory.role_query_manager().get_other_roles(
                    role, user['roles'])
                user_ops = _operations_not_granted_by_roles(
                    item['resource'], item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'],
                                                    user['login'], user_ops)

        for user in users:
            user['roles'].remove(role_id)
            factory.user_manager().update_user(user['login'],
                                               Delta(user, 'roles'))

        Role.get_collection().remove({'id': role_id}, safe=True)
Пример #26
0
Файл: cud.py Проект: nbetm/pulp 
    def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])
        if not role['permissions']:
            role['permissions'] = []

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not resource_permission:
            resource_permission = dict(resource=resource, permission=current_ops)
            role['permissions'].append(resource_permission)

        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            factory.permission_manager().grant(resource, user['login'], operations)

        Role.get_collection().save(role, safe=True)
Пример #27
0
Файл: query.py Проект: omps/pulp 
    def find_by_id(self, role_id):
        """
        Returns a serialized version of the given role if it exists.
        If a role cannot be found with the given id, None is returned.

        @return: serialized data describing the role
        @rtype:  dict or None
        """
        role = Role.get_collection().find_one({'id': role_id})
        return role
Пример #28
0
Файл: cud.py Проект: bartwo/pulp 
    def remove_permissions_from_role(self, role_id, resource, operations):
        """
        Remove permissions from a role. 
        
        @type role_id: str
        @param role_id: role identifier
    
        @type resource: str
        @param resource: resource path to revoke permissions from
        
        @type operations: list of allowed operations being revoked
        @param operations: list or tuple
        
        @raise MissingResource: if the given role does not exist
        """
        if role_id == self.super_user_role:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id' : role_id})
        if role is None:
            raise MissingResource(role_id)
        
        current_ops = role['permissions'].get(resource, [])
        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)
            
        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                    operations,
                                                    other_roles)
            factory.permission_manager().revoke(resource, user['login'], user_ops)
        
        # in no more allowed operations, remove the resource
        if not current_ops:
            del role['permissions'][resource]
        
        Role.get_collection().save(role, safe=True)
Пример #29
0
    def find_by_id(self, role_id):
        """
        Returns a serialized version of the given role if it exists.
        If a role cannot be found with the given id, None is returned.

        @return: serialized data describing the role
        @rtype:  dict or None
        """
        role = Role.get_collection().find_one({"id": role_id})
        return role
Пример #30
0
    def update_role(self, role_id, delta):
        """
        Updates a role object.

        @param role_id: The role identifier.
        @type role_id: str

        @param delta: A dict containing update keywords.
        @type delta: dict

        @return: The updated object
        @rtype: dict
        
        @raise MissingResource: if the given role does not exist
        @raise PulpDataException: if update keyword  is not supported
        """

        delta.pop('id', None)

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        for key, value in delta.items():
            # simple changes
            if key in (
                    'display_name',
                    'description',
                    'permissions',
            ):
                role[key] = value
                continue

            # unsupported
            raise PulpDataException(
                _("Update Keyword [%s] is not supported" % key))

        Role.get_collection().save(role, safe=True)

        # Retrieve the user to return the SON object
        updated = Role.get_collection().find_one({'id': role_id})
        return updated
Пример #31
0
Файл: cud.py Проект: nbetm/pulp 
    def get_role(role):
        """
        Get a Role by id.

        :param role: A role id to search for
        :type  role: str

        :return: a Role object that have the given role id.
        :rtype:  Role or None
        """
        return Role.get_collection().find_one({'id': role})
Пример #32
0
    def get_role(role):
        """
        Get a Role by id.

        :param role: A role id to search for
        :type  role: str

        :return: a Role object that have the given role id.
        :rtype:  Role or None
        """
        return Role.get_collection().find_one({'id': role})
Пример #33
0
Файл: cud.py Проект: nbetm/pulp 
    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users = factory.user_query_manager().find_users_belonging_to_role(role_id)

        for item in role['permissions']:
            for user in users:
                other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
                user_ops = _operations_not_granted_by_roles(item['resource'],
                                                            item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'], user['login'], user_ops)

        for user in users:
            user['roles'].remove(role_id)
            factory.user_manager().update_user(user['login'], Delta(user, 'roles'))

        Role.get_collection().remove({'id': role_id}, safe=True)
Пример #34
0
def migrate(*args, **kwargs):
    """
    Move role permissions into the permissions database
    """
    collection = Role.get_collection()
    for role in collection.find({}):
        updated_permissions = []
        if isinstance(role['permissions'], dict):
            for resource, permission in role['permissions'].items():
                resource_permission = dict(resource=resource, permission=permission)
                updated_permissions.append(resource_permission)
            role['permissions'] = updated_permissions
            collection.save(role)
Пример #35
0
def find_users_belonging_to_role(role_id):
    """
    Get a list of users belonging to the given role

    :param role_id: get members of this role
    :type  role_id: str

    :return: list of users that are members of the given role
    :rtype:  list of pulp.server.db.model.User instances
    """
    role = Role.get_collection().find_one({'id': role_id})
    if role is None:
        raise pulp_exceptions.MissingResource(role_id)
    return [user for user in model.User.objects() if role_id in user.roles]
Пример #36
0
def find_users_belonging_to_role(role_id):
    """
    Get a list of users belonging to the given role

    :param role_id: get members of this role
    :type  role_id: str

    :return: list of users that are members of the given role
    :rtype:  list of pulp.server.db.model.User instances
    """
    role = Role.get_collection().find_one({'id': role_id})
    if role is None:
        raise pulp_exceptions.MissingResource(role_id)
    return [user for user in model.User.objects() if role_id in user.roles]
Пример #37
0
    def test_delete(self):
        """
        Tests deleting an existing role.
        """

        # Setup
        self.role_manager.create_role('doomed')

        # Test
        status, body = self.delete('/v2/roles/doomed/')

        # Verify
        self.assertEqual(200, status)

        role = Role.get_collection().find_one({'id': 'doomed'})
        self.assertTrue(role is None)
Пример #38
0
    def test_delete(self):
        """
        Tests deleting an existing role.
        """

        # Setup
        self.role_manager.create_role('doomed')

        # Test
        status, body = self.delete('/v2/roles/doomed/')

        # Verify
        self.assertEqual(200, status)

        role = Role.get_collection().find_one({'id' : 'doomed'})
        self.assertTrue(role is None)
Пример #39
0
    def find_users_belonging_to_role(self, role_id):
        """
        Get a list of users belonging to the given role

        @type role_id: str
        @param role_id: id of the role to get members of

        @rtype: list of L{pulp.server.db.model.auth.User} instances
        @return: list of users that are members of the given role
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        users = []
        for user in self.find_all():
            if role_id in user['roles']:
                users.append(user)
        return users
Пример #40
0
    def find_users_belonging_to_role(self, role_id):
        """
        Get a list of users belonging to the given role

        @type role_id: str
        @param role_id: id of the role to get members of

        @rtype: list of L{pulp.server.db.model.auth.User} instances
        @return: list of users that are members of the given role
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        users = []
        for user in self.find_all():
            if role_id in user['roles']:
                users.append(user)
        return users
Пример #41
0
    def remove_user_from_role(self, role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.
        
        @type role_id: str
        @param role_id: role identifier
    
        @type login: str
        @param login: name of user
        
        @rtype: bool
        @return: True on success
                        
        @raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id == self.super_user_role and factory.user_query_manager(
        ).is_last_super_user(login):
            raise PulpDataException(
                _('%s cannot be empty, and %s is the last member') %
                (self.super_user_role, login))

        if role_id not in user['roles']:
            return

        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, login, user_ops)
Пример #42
0
    def remove_user_from_role(role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           name of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id == SUPER_USER_ROLE and factory.user_query_manager(
        ).is_last_super_user(login):
            raise PulpDataException(
                _('%(role)s cannot be empty, and %(login)s is the last member')
                % {
                    'role': SUPER_USER_ROLE,
                    'login': login
                })

        if role_id not in user['roles']:
            return

        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for item in role['permissions']:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                item['resource'], item['permission'], other_roles)
            factory.permission_manager().revoke(item['resource'], login,
                                                user_ops)
Пример #43
0
    def test_post(self):
        """
        Tests using post to create a role.
        """

        # Setup
        params = {"role_id": "role-1", "display_name": "Role 1", "description": "Role 1 description"}

        # Test
        status, body = self.post("/v2/roles/", params=params)

        # Verify
        self.assertEqual(201, status)

        self.assertEqual(body["id"], "role-1")

        role = Role.get_collection().find_one({"id": "role-1"})
        self.assertTrue(role is not None)
        self.assertEqual(params["display_name"], role["display_name"])
        self.assertEqual(params["description"], role["description"])
Пример #44
0
Файл: cud.py Проект: bartwo/pulp 
    def remove_user_from_role(self, role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.
        
        @type role_id: str
        @param role_id: role identifier
    
        @type login: str
        @param login: name of user
        
        @rtype: bool
        @return: True on success
                        
        @raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id' : role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login' : login})
        if user is None:
            raise MissingResource(login)

        if role_id == self.super_user_role and factory.user_query_manager().is_last_super_user(login):
            raise PulpDataException(_('%s cannot be empty, and %s is the last member') %
                                     (self.super_user_role, login))

        if role_id not in user['roles']:
            return
        
        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, login, user_ops)
Пример #45
0
    def test_put(self):
        """
        Tests using put to update a role.
        """

        # Setup
        self.role_manager.create_role("role-1", display_name="original name")

        req_body = {"delta": {"display_name": "new name", "description": "new description"}}

        # Test
        status, body = self.put("/v2/roles/role-1/", params=req_body)

        # Verify
        self.assertEqual(200, status)

        self.assertEqual(body["display_name"], req_body["delta"]["display_name"])

        role = Role.get_collection().find_one({"id": "role-1"})
        self.assertEqual(role["display_name"], req_body["delta"]["display_name"])
        self.assertEqual(role["description"], req_body["delta"]["description"])
Пример #46
0
    def test_put(self):
        """
        Tests using put to update a role.
        """

        # Setup
        self.role_manager.create_role('role-1', display_name='original name')

        req_body = {'delta' : {'display_name' : 'new name', 'description': 'new description'}}

        # Test
        status, body = self.put('/v2/roles/role-1/', params=req_body)

        # Verify
        self.assertEqual(200, status)

        self.assertEqual(body['display_name'], req_body['delta']['display_name'])
        
        role = Role.get_collection().find_one({'id' : 'role-1'})
        self.assertEqual(role['display_name'], req_body['delta']['display_name'])
        self.assertEqual(role['description'], req_body['delta']['description'])
Пример #47
0
    def test_post(self):
        """
        Tests using post to create a role.
        """

        # Setup
        params = {
            'role_id': 'role-1',
            'display_name': 'Role 1',
            'description': 'Role 1 description',
        }

        # Test
        status, body = self.post('/v2/roles/', params=params)

        # Verify
        self.assertEqual(201, status)

        self.assertEqual(body['id'], 'role-1')

        role = Role.get_collection().find_one({'id': 'role-1'})
        self.assertTrue(role is not None)
        self.assertEqual(params['display_name'], role['display_name'])
        self.assertEqual(params['description'], role['description'])
Пример #48
0
    def test_post(self):
        """
        Tests using post to create a role.
        """

        # Setup
        params = {
            'role_id' : 'role-1',
            'display_name' : 'Role 1',
            'description' : 'Role 1 description',
        }

        # Test
        status, body = self.post('/v2/roles/', params=params)

        # Verify
        self.assertEqual(201, status)

        self.assertEqual(body['id'], 'role-1')

        role = Role.get_collection().find_one({'id' : 'role-1'})
        self.assertTrue(role is not None)
        self.assertEqual(params['display_name'], role['display_name'])
        self.assertEqual(params['description'], role['description'])
Пример #49
0
 def clean(self):
     base.PulpServerTests.clean(self)
     Role.get_collection().remove()
Пример #50
0
 def clean(self):
     super(AuthControllersTests, self).clean()
     User.get_collection().remove(safe=True)
     Role.get_collection().remove(safe=True)
     Permission.get_collection().remove(safe=True)
Пример #51
0
 def clean(self):
     base.PulpServerTests.clean(self)
     Role.get_collection().remove()
Пример #52
0
 def clean(self):
     super(AuthControllersTests, self).clean()
     User.get_collection().remove(safe=True)
     Role.get_collection().remove(safe=True)
     Permission.get_collection().remove(safe=True)
Пример #53
0
 def _getcollection(self):
     return Role.get_collection()