Пример #1
0
    def test_has_role(self):
        # Make sure RBAC is enabled for the tests
        cfg.CONF.set_override(name='enable', override=True, group='rbac')

        # Admin user
        self.assertTrue(user_has_role(user_db=self.admin_user, role=SystemRole.ADMIN))

        # Regular user
        self.assertFalse(user_has_role(user_db=self.regular_user, role=SystemRole.ADMIN))
Пример #2
0
    def test_has_role(self):
        # Make sure RBAC is enabled for the tests
        cfg.CONF.set_override(name='enable', override=True, group='rbac')

        # Admin user
        self.assertTrue(
            user_has_role(user_db=self.admin_user, role=SystemRole.ADMIN))

        # Regular user
        self.assertFalse(
            user_has_role(user_db=self.regular_user, role=SystemRole.ADMIN))
Пример #3
0
def check_permission(inquiry, requester):
    # Normalize user object.
    user_db = (auth_db_models.UserDB(requester) if isinstance(
        requester, six.string_types) else requester)

    # Deny by default
    roles_passed = False
    users_passed = False

    # Determine role-level permissions
    roles = getattr(inquiry, 'roles', [])

    if not roles:
        # No roles definition so we treat it as a pass
        roles_passed = True

    for role in roles:
        user_has_role = rbac_utils.user_has_role(user_db, role)

        LOG.debug('Checking user %s is in role %s - %s' %
                  (user_db, role, user_has_role))

        if user_has_role:
            roles_passed = True
            break

    # Determine user-level permissions
    users = getattr(inquiry, 'users', [])
    if not users or user_db.name in users:
        users_passed = True

    # Thow exception if either permission check failed.
    if not roles_passed or not users_passed:
        raise inquiry_exceptions.InquiryResponseUnauthorized(
            str(inquiry.id), requester)
Пример #4
0
    def _can_respond(self, inquiry, requester_user):
        """Determine if requester_user is permitted to respond based on parameters

        This determines if the requesting user has permission to respond to THIS inquiry.
        Note this is NOT RBAC, and you should still protect the API endpoint with RBAC
        where appropriate.

        :param inquiry: The Inquiry for which the response is given
        :param requester_user: The user providing the response

        :rtype: bool - True if requester_user is able to respond. False if not.
        """

        # Deny by default
        roles_passed = False
        users_passed = False

        # Determine role-level permissions
        roles = getattr(inquiry, 'roles', [])

        if not roles:
            # No roles definition so we treat it as a pass
            roles_passed = True

        for role in roles:
            LOG.debug("Checking user %s is in role %s - %s" %
                      (requester_user, role,
                       rbac_utils.user_has_role(requester_user, role)))

            if rbac_utils.user_has_role(requester_user, role):
                roles_passed = True
                break

        # Determine user-level permissions
        users = getattr(inquiry, 'users', [])
        if not users or requester_user.name in users:
            users_passed = True

        # Both must pass
        return roles_passed and users_passed
Пример #5
0
    def _can_respond(self, inquiry, requester_user):
        """Determine if requester_user is permitted to respond based on parameters

        This determines if the requesting user has permission to respond to THIS inquiry.
        Note this is NOT RBAC, and you should still protect the API endpoint with RBAC
        where appropriate.

        :param inquiry: The Inquiry for which the response is given
        :param requester_user: The user providing the response

        :rtype: bool - True if requester_user is able to respond. False if not.
        """

        # Deny by default
        roles_passed = False
        users_passed = False

        # Determine role-level permissions
        roles = getattr(inquiry, 'roles', [])

        if not roles:
            # No roles definition so we treat it as a pass
            roles_passed = True

        for role in roles:
            LOG.debug("Checking user %s is in role %s - %s" % (
                requester_user, role, rbac_utils.user_has_role(requester_user, role))
            )

            if rbac_utils.user_has_role(requester_user, role):
                roles_passed = True
                break

        # Determine user-level permissions
        users = getattr(inquiry, 'users', [])
        if not users or requester_user.name in users:
            users_passed = True

        # Both must pass
        return roles_passed and users_passed
Пример #6
0
def check_permission(inquiry, requester):
    # Normalize user object.
    user_db = (
        auth_db_models.UserDB(requester)
        if isinstance(requester, six.string_types)
        else requester
    )

    # Deny by default
    roles_passed = False
    users_passed = False

    # Determine role-level permissions
    roles = getattr(inquiry, 'roles', [])

    if not roles:
        # No roles definition so we treat it as a pass
        roles_passed = True

    for role in roles:
        user_has_role = rbac_utils.user_has_role(user_db, role)

        LOG.debug('Checking user %s is in role %s - %s' % (user_db, role, user_has_role))

        if user_has_role:
            roles_passed = True
            break

    # Determine user-level permissions
    users = getattr(inquiry, 'users', [])
    if not users or user_db.name in users:
        users_passed = True

    # Thow exception if either permission check failed.
    if not roles_passed or not users_passed:
        raise inquiry_exceptions.InquiryResponseUnauthorized(str(inquiry.id), requester)
Пример #7
0
    def test_has_role(self):
        # Admin user
        self.assertTrue(user_has_role(user=self.admin_user, role=SystemRole.ADMIN))

        # Regular user
        self.assertFalse(user_has_role(user=self.regular_user, role=SystemRole.ADMIN))