def test_has_role(self): # Make sure RBAC is enabled for the tests cfg.CONF.set_override(name='enable', override=True, group='rbac') # Admin user self.assertTrue(user_has_role(user_db=self.admin_user, role=SystemRole.ADMIN)) # Regular user self.assertFalse(user_has_role(user_db=self.regular_user, role=SystemRole.ADMIN))
def test_has_role(self): # Make sure RBAC is enabled for the tests cfg.CONF.set_override(name='enable', override=True, group='rbac') # Admin user self.assertTrue( user_has_role(user_db=self.admin_user, role=SystemRole.ADMIN)) # Regular user self.assertFalse( user_has_role(user_db=self.regular_user, role=SystemRole.ADMIN))
def check_permission(inquiry, requester): # Normalize user object. user_db = (auth_db_models.UserDB(requester) if isinstance( requester, six.string_types) else requester) # Deny by default roles_passed = False users_passed = False # Determine role-level permissions roles = getattr(inquiry, 'roles', []) if not roles: # No roles definition so we treat it as a pass roles_passed = True for role in roles: user_has_role = rbac_utils.user_has_role(user_db, role) LOG.debug('Checking user %s is in role %s - %s' % (user_db, role, user_has_role)) if user_has_role: roles_passed = True break # Determine user-level permissions users = getattr(inquiry, 'users', []) if not users or user_db.name in users: users_passed = True # Thow exception if either permission check failed. if not roles_passed or not users_passed: raise inquiry_exceptions.InquiryResponseUnauthorized( str(inquiry.id), requester)
def _can_respond(self, inquiry, requester_user): """Determine if requester_user is permitted to respond based on parameters This determines if the requesting user has permission to respond to THIS inquiry. Note this is NOT RBAC, and you should still protect the API endpoint with RBAC where appropriate. :param inquiry: The Inquiry for which the response is given :param requester_user: The user providing the response :rtype: bool - True if requester_user is able to respond. False if not. """ # Deny by default roles_passed = False users_passed = False # Determine role-level permissions roles = getattr(inquiry, 'roles', []) if not roles: # No roles definition so we treat it as a pass roles_passed = True for role in roles: LOG.debug("Checking user %s is in role %s - %s" % (requester_user, role, rbac_utils.user_has_role(requester_user, role))) if rbac_utils.user_has_role(requester_user, role): roles_passed = True break # Determine user-level permissions users = getattr(inquiry, 'users', []) if not users or requester_user.name in users: users_passed = True # Both must pass return roles_passed and users_passed
def _can_respond(self, inquiry, requester_user): """Determine if requester_user is permitted to respond based on parameters This determines if the requesting user has permission to respond to THIS inquiry. Note this is NOT RBAC, and you should still protect the API endpoint with RBAC where appropriate. :param inquiry: The Inquiry for which the response is given :param requester_user: The user providing the response :rtype: bool - True if requester_user is able to respond. False if not. """ # Deny by default roles_passed = False users_passed = False # Determine role-level permissions roles = getattr(inquiry, 'roles', []) if not roles: # No roles definition so we treat it as a pass roles_passed = True for role in roles: LOG.debug("Checking user %s is in role %s - %s" % ( requester_user, role, rbac_utils.user_has_role(requester_user, role)) ) if rbac_utils.user_has_role(requester_user, role): roles_passed = True break # Determine user-level permissions users = getattr(inquiry, 'users', []) if not users or requester_user.name in users: users_passed = True # Both must pass return roles_passed and users_passed
def check_permission(inquiry, requester): # Normalize user object. user_db = ( auth_db_models.UserDB(requester) if isinstance(requester, six.string_types) else requester ) # Deny by default roles_passed = False users_passed = False # Determine role-level permissions roles = getattr(inquiry, 'roles', []) if not roles: # No roles definition so we treat it as a pass roles_passed = True for role in roles: user_has_role = rbac_utils.user_has_role(user_db, role) LOG.debug('Checking user %s is in role %s - %s' % (user_db, role, user_has_role)) if user_has_role: roles_passed = True break # Determine user-level permissions users = getattr(inquiry, 'users', []) if not users or user_db.name in users: users_passed = True # Thow exception if either permission check failed. if not roles_passed or not users_passed: raise inquiry_exceptions.InquiryResponseUnauthorized(str(inquiry.id), requester)
def test_has_role(self): # Admin user self.assertTrue(user_has_role(user=self.admin_user, role=SystemRole.ADMIN)) # Regular user self.assertFalse(user_has_role(user=self.regular_user, role=SystemRole.ADMIN))