Пример #1
0
 def inner(*args, **kwargs):
     user = kwargs['user']
     keycloak = di.get(KeycloakClient)
     if not user or not any(
             keycloak.user_check_role(user, role) for role in roles):
         raise Forbidden(forbidden_message)
     return fn(*args, **kwargs)
Пример #2
0
    def create_openstack_client(self, project=None):
        """
        Create OpenStack SDK connection (client). Optional `project` argument
        can be used to change project, default is project from the region
        (:attr:`Region.project`).

        Returns:
            openstack.connection.Connection
        """
        vault = di.get(Vault)
        credentials = vault.read(self.openstack_credentials)
        if not credentials:
            raise RuntimeError(
                f'Missing credentials in vault; {vault!r} {self.openstack_credentials}'
            )
        connection = openstack.connection.Connection(
            auth=dict(
                auth_url=self.openstack_url,
                username=credentials['username'],
                password=credentials['password'],
                project_name=project or self.openstack_project,
                domain_name=self.openstack_domain_name,
            ),
            region_name="regionOne",
            interface="public",
            identity_api_version=3,
        )
        connection.authorize()
        return connection
Пример #3
0
def decode_token(token):
    keycloak = di.get(KeycloakClient)

    token = keycloak.token_info(token)
    if not token['active']:
        raise Unauthorized('Token is not valid')
    return token
Пример #4
0
 def inner(*args, **kwargs):
     keycloak = di.get(KeycloakClient)
     if 'policy_id' in kwargs:
         current_user = kwargs['user']
         group_name = f'policy-{kwargs["policy_id"]}-owners'
         group_list = keycloak.user_group_list(current_user)
         groups = {group['name']: group for group in group_list}
         if group_name in groups.keys():
             # User has access to delete/edit policy
             return func(*args, **kwargs)
         else:
             # User does not have access to delete/edit policy
             return problem(403, 'Forbidden', 'You do not own this policy')
     else:
         return func(*args, **kwargs)
Пример #5
0
    def create_tower_client(self) -> Tower:
        """
        Create Tower client.

        :returns: :class:`rhub.tower.client.Tower`
        :raises: `RuntimeError` if failed to create client due to missing
                 credentials in vault
        :raises: `Exception` any other errors
        """
        vault = di.get(Vault)
        credentials = vault.read(self.credentials)
        if not credentials:
            raise RuntimeError(
                f'Missing credentials in vault; {vault!r} {self.credentials}')
        return Tower(
            url=self.url,
            username=credentials['username'],
            password=credentials['password'],
            verify_ssl=self.verify_ssl,
        )
Пример #6
0
def user_is_admin(user_id):
    """Check if user is admin, has :const:`rhub.auth.ADMIN_ROLE` role."""
    keycloak = di.get(KeycloakClient)
    return keycloak.user_check_role(user_id, ADMIN_ROLE)
Пример #7
0
 def user_name(self):
     if self.user_id:
         return di.get(KeycloakClient).user_get(self.user_id)['username']
     return None
Пример #8
0
 def group_name(self):
     if self.group_id:
         return di.get(KeycloakClient).group_get(self.group_id)['name']
     return None
Пример #9
0
 def get_user_project_name(self, user_id):
     user_name = di.get(KeycloakClient).user_get(user_id)['username']
     return f'ql_{user_name}'
Пример #10
0
 def users_group_name(self):
     if self.users_group:
         return di.get(KeycloakClient).group_get(self.users_group)['name']
     return None
Пример #11
0
 def owner_group_name(self):
     return di.get(KeycloakClient).group_get(self.owner_group)['name']
Пример #12
0
def basic_auth(username, password, required_scopes=None):
    keycloak = di.get(KeycloakClient)

    return keycloak.login(username, password)
Пример #13
0
def setup_keycloak():
    keycloak = di.get(KeycloakClient)

    groups = {group['name']: group for group in keycloak.group_list()}
    roles = {role['name']: role for role in keycloak.role_list()}

    if ADMIN_GROUP not in groups:
        logger.info(f'Creating admin group "{ADMIN_GROUP}"')
        admin_group_id = keycloak.group_create({'name': ADMIN_GROUP})
        groups[ADMIN_GROUP] = keycloak.group_get(admin_group_id)

    if ADMIN_ROLE not in roles:
        logger.info(f'Creating admin role "{ADMIN_ROLE}"')
        admin_role_name = keycloak.role_create({'name': ADMIN_ROLE})
        roles[ADMIN_ROLE] = keycloak.role_get(admin_role_name)

    if not any(
            role['name'] == ADMIN_ROLE
            for role in keycloak.group_role_list(groups[ADMIN_GROUP]['id'])):
        logger.info(
            f'Adding admin role "{ADMIN_ROLE}" to admin group "{ADMIN_GROUP}"')
        keycloak.group_role_add(ADMIN_ROLE, groups[ADMIN_GROUP]['id'])

    if not keycloak.user_list({'username': ADMIN_USER}):
        logger.info(f'Creating admin account "{ADMIN_USER}"')
        keycloak.user_create({
            'username': ADMIN_USER,
            'email': '*****@*****.**',
            'firstName': 'Admin',
            'lastName': 'RHub',
        })

    admin_user = keycloak.user_list({'username': ADMIN_USER})[0]
    if not any(group['name'] == ADMIN_GROUP
               for group in keycloak.user_group_list(admin_user['id'])):
        logger.info(
            f'Adding admin user "{ADMIN_USER}" to admin group "{ADMIN_GROUP}"')
        keycloak.group_user_add(admin_user['id'], groups[ADMIN_GROUP]['id'])

    for i in ['lab-owner', 'policy-owner']:
        if i not in roles:
            logger.info(f'Creating "{i}" role')
            roles[i] = keycloak.role_create({'name': i})

    if SHAREDCLUSTER_GROUP not in groups:
        logger.info(f'Creating sharedcluster group "{SHAREDCLUSTER_GROUP}"')
        group_id = keycloak.group_create({'name': SHAREDCLUSTER_GROUP})
        groups[SHAREDCLUSTER_GROUP] = keycloak.group_get(group_id)

    if SHAREDCLUSTER_ROLE not in roles:
        logger.info(f'Creating sharedcluster role "{SHAREDCLUSTER_ROLE}"')
        role_name = keycloak.role_create({'name': SHAREDCLUSTER_ROLE})
        roles[SHAREDCLUSTER_ROLE] = keycloak.role_get(role_name)

    if not any(role['name'] == SHAREDCLUSTER_ROLE for role in
               keycloak.group_role_list(groups[SHAREDCLUSTER_GROUP]['id'])):
        logger.info(f'Adding sharedcluster role "{SHAREDCLUSTER_ROLE}" '
                    f'to sharedcluster group "{SHAREDCLUSTER_GROUP}"')
        keycloak.group_role_add(SHAREDCLUSTER_ROLE,
                                groups[SHAREDCLUSTER_GROUP]['id'])

    if not keycloak.user_list({'username': SHAREDCLUSTER_USER}):
        logger.info(f'Creating sharedclusters account "{SHAREDCLUSTER_USER}"')
        keycloak.user_create({
            'username': SHAREDCLUSTER_USER,
            'email': f'nobody+{SHAREDCLUSTER_USER}@redhat.com',
            'firstName': 'Shared Cluster',
            'lastName': 'RHub',
        })

    sharedcluster_user = keycloak.user_list({'username':
                                             SHAREDCLUSTER_USER})[0]
    if not any(
            group['name'] == SHAREDCLUSTER_GROUP
            for group in keycloak.user_group_list(sharedcluster_user['id'])):
        logger.info(f'Adding sharedcluster user "{SHAREDCLUSTER_USER}" '
                    f'to sharedcluster group "{SHAREDCLUSTER_GROUP}"')
        keycloak.group_user_add(sharedcluster_user['id'],
                                groups[SHAREDCLUSTER_GROUP]['id'])