def _verify_tenant(uri): tenanted_resources = [ FILE_SERVER_BLUEPRINTS_FOLDER, FILE_SERVER_UPLOADED_BLUEPRINTS_FOLDER, FILE_SERVER_DEPLOYMENTS_FOLDER, FILE_SERVER_TENANT_RESOURCES_FOLDER ] tenanted_resources = [r.strip('/') for r in tenanted_resources] uri = uri.strip('/') # verifying that the only tenant that can be accessed is the one in # the header for resource in tenanted_resources: if uri.startswith(resource): # Example of uri: 'blueprints/default_tenant/blueprint_1/ # scripts/configure.sh' _, uri_tenant = uri.split('/', 2)[:2] authenticator.authenticate(request) # if it's global blueprint - no need or tenant verification # first load requested tenant to config then check if global tenant = get_storage_manager().get( models.Tenant, uri_tenant, filters={'name': uri_tenant}) utils.set_current_tenant(tenant) if FileServerAuth._is_global_blueprint(uri): return @authorize('file_server_auth', uri_tenant) def _authorize(): pass _authorize() return
def wrapper(*args, **kwargs): # getting the tenant name if get_tenant_from == 'header': tenant_name = tenant_for_auth or request.headers.get( CLOUDIFY_TENANT_HEADER) elif get_tenant_from == 'param': tenant_name = tenant_for_auth or kwargs['tenant_name'] elif get_tenant_from == 'data': tenant_name = tenant_for_auth or get_json_and_verify_params({ 'tenant_name': { 'type': unicode } }).get('tenant_name') else: tenant_name = tenant_for_auth # finding tenant to add to the app config if tenant_name: try: tenant = get_storage_manager().get( Tenant, tenant_name, filters={'name': tenant_name}) utils.set_current_tenant(tenant) except NotFoundError: raise ForbiddenError( 'Authorization failed: Tried to authenticate with ' 'invalid tenant name: {0}'.format(tenant_name)) # when running unittests, there is no authorization if config.instance.test_mode: return func(*args, **kwargs) # extracting tenant roles for user in the tenant tenant_roles = [] for t in current_user.all_tenants: if (allow_all_tenants and request_use_all_tenants()) \ or t.name == tenant_name: tenant_roles += current_user.all_tenants[t] # joining user's system role with his tenant roles user_roles = [role.name for role in tenant_roles] \ + current_user.system_roles # getting the roles allowed to perform requested action action_roles = config.instance.authorization_permissions[action] # checking if any of the user's roles is allowed to perform action for user_role in user_roles: if user_role in action_roles: return func(*args, **kwargs) # none of the user's role is allowed to perform the action error_message = 'User `{0}` is not permitted to perform the ' \ 'action {1}'.format(current_user.username, action) if tenant_name: error_message += ' in the tenant `{0}`'.format(tenant_name) raise ForbiddenError(error_message)
def _handle_default_db_config(): Migrate(app=server.app, db=server.db) try: upgrade(directory=MIGRATION_DIR) except sqlalchemy.exc.OperationalError: logger = logging.getLogger() logger.error("Could not connect to the database - is a " "postgresql server running on localhost?") logger.error("HINT: Create a docker container running postgresql " "by doing `docker run --name cloudify-db-unit-test " "-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 " "-d postgres`") raise admin_user = get_admin_user() fd, temp_auth_file = tempfile.mkstemp() os.close(fd) with open(temp_auth_file, 'w') as f: yaml.dump(auth_dict, f) try: # We're mocking the AMQPManager, we aren't really using Rabbit here default_tenant = create_default_user_tenant_and_roles( admin_username=admin_user['username'], admin_password=admin_user['password'], amqp_manager=MagicMock(), authorization_file_path=temp_auth_file ) default_tenant.rabbitmq_username = \ 'rabbitmq_username_default_tenant' default_tenant.rabbitmq_vhost = \ 'rabbitmq_vhost_defualt_tenant' default_tenant.rabbitmq_password = \ 'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \ 'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \ 'G6jxqQDeEf5Heos0ia4Q5H ' for reporter in get_status_reporters(): create_status_reporter_user_and_assign_role( reporter['username'], reporter['password'], reporter['role'], reporter['id'] ) if premium_enabled: # License is required only when working with Cloudify Premium upload_mock_cloudify_license(get_storage_manager()) finally: os.remove(temp_auth_file) utils.set_current_tenant(default_tenant)
def wrapper(*args, **kwargs): # getting the tenant name if get_tenant_from == 'header': tenant_name = tenant_for_auth or request.headers.get( CLOUDIFY_TENANT_HEADER) elif get_tenant_from == 'param': tenant_name = tenant_for_auth or kwargs['tenant_name'] elif get_tenant_from == 'data': tenant_name = tenant_for_auth or get_json_and_verify_params( {'tenant_name': {'type': unicode}}).get('tenant_name') else: tenant_name = tenant_for_auth # finding tenant to add to the app config if tenant_name: try: tenant = get_storage_manager().get( Tenant, tenant_name, filters={'name': tenant_name} ) utils.set_current_tenant(tenant) except NotFoundError: raise ForbiddenError( 'Authorization failed: Tried to authenticate with ' 'invalid tenant name: {0}'.format(tenant_name) ) if not current_user.active: raise ForbiddenError( 'Authorization failed: ' 'User `{0}` is deactivated'.format(current_user.username) ) # when running unittests, there is no authorization if config.instance.test_mode: return func(*args, **kwargs) # checking if any of the user's roles is allowed to perform action if is_user_action_allowed(action, tenant_name, allow_all_tenants): return func(*args, **kwargs) # none of the user's role is allowed to perform the action error_message = 'User `{0}` is not permitted to perform the ' \ 'action {1}'.format(current_user.username, action) if tenant_name: error_message += ' in the tenant `{0}`'.format(tenant_name) raise ForbiddenError(error_message)
def wrapper(*args, **kwargs): # getting the tenant name if get_tenant_from == 'header': tenant_name = tenant_for_auth or request.headers.get( CLOUDIFY_TENANT_HEADER) elif get_tenant_from == 'param': tenant_name = tenant_for_auth or kwargs['tenant_name'] elif get_tenant_from == 'data': tenant_name = tenant_for_auth or get_json_and_verify_params({ 'tenant_name': { 'type': text_type } }).get('tenant_name') else: tenant_name = tenant_for_auth # finding tenant to add to the app config if tenant_name: try: tenant = get_storage_manager().get( Tenant, tenant_name, filters={'name': tenant_name}) utils.set_current_tenant(tenant) except NotFoundError: raise ForbiddenError( 'Authorization failed: Tried to authenticate with ' 'invalid tenant name: {0}'.format(tenant_name)) if not current_user.active: raise ForbiddenError('Authorization failed: ' 'User `{0}` is deactivated'.format( current_user.username)) # when running unittests, there is no authorization if config.instance.test_mode: return func(*args, **kwargs) # checking if any of the user's roles is allowed to perform action if is_user_action_allowed(action, tenant_name, allow_all_tenants): return func(*args, **kwargs) # none of the user's role is allowed to perform the action error_message = 'User `{0}` is not permitted to perform the ' \ 'action {1}'.format(current_user.username, action) if tenant_name: error_message += ' in the tenant `{0}`'.format(tenant_name) raise ForbiddenError(error_message)
def _handle_default_db_config(): Migrate(app=server.app, db=server.db) try: upgrade(directory=MIGRATION_DIR) except sqlalchemy.exc.OperationalError: logger = logging.getLogger() logger.error("Could not connect to the database - is a " "postgresql server running on localhost?") logger.error("HINT: Create a docker container running postgresql " "by doing `docker run --name cloudify-db-unit-test " "-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 " "-d postgres`") raise admin_user = get_admin_user() fd, temp_auth_file = tempfile.mkstemp() os.close(fd) with open(temp_auth_file, 'w') as f: yaml.dump(auth_dict, f) try: # We're mocking the AMQPManager, we aren't really using Rabbit here default_tenant = create_default_user_tenant_and_roles( admin_username=admin_user['username'], admin_password=admin_user['password'], amqp_manager=MagicMock(), authorization_file_path=temp_auth_file ) default_tenant.rabbitmq_password = \ 'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \ 'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \ 'G6jxqQDeEf5Heos0ia4Q5H ' if premium_enabled: # License is required only when working with Cloudify Premium upload_mock_cloudify_license(get_storage_manager()) finally: os.remove(temp_auth_file) utils.set_current_tenant(default_tenant)
def _handle_default_db_config(server): server.db.create_all() admin_user = get_admin_user() fd, temp_auth_file = tempfile.mkstemp() os.close(fd) with open(temp_auth_file, 'w') as f: yaml.dump(auth_dict, f) try: # We're mocking the AMQPManager, we aren't really using Rabbit here default_tenant = create_default_user_tenant_and_roles( admin_username=admin_user['username'], admin_password=admin_user['password'], amqp_manager=MagicMock(), authorization_file_path=temp_auth_file) finally: os.remove(temp_auth_file) utils.set_current_tenant(default_tenant)
def _handle_default_db_config(): try: server.db.create_all() except sqlalchemy.exc.OperationalError: logger = logging.getLogger() logger.error("Could not connect to the database - is a " "postgresql server running on localhost?") logger.error("HINT: Create a docker container running postgresql " "by doing `docker run --name cloudify-db-unit-test " "-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 " "-d postgres`") raise admin_user = get_admin_user() fd, temp_auth_file = tempfile.mkstemp() os.close(fd) with open(temp_auth_file, 'w') as f: yaml.dump(auth_dict, f) try: # We're mocking the AMQPManager, we aren't really using Rabbit here default_tenant = create_default_user_tenant_and_roles( admin_username=admin_user['username'], admin_password=admin_user['password'], amqp_manager=MagicMock(), authorization_file_path=temp_auth_file ) default_tenant.rabbitmq_password = \ 'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \ 'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \ 'G6jxqQDeEf5Heos0ia4Q5H ' finally: os.remove(temp_auth_file) utils.set_current_tenant(default_tenant)
def set_tenant_in_app(tenant): """Set the tenant as the current tenant in the flask app. Requires app context (using `with app.app_context()` or push as returned by setup_flask_app""" utils.set_current_tenant(tenant)
def set_tenant_in_app(tenant): """Set the tenant as the current tenant in the flask app. Requires app context (using `with app.app_context()` or push as returned by setup_flask_app""" utils.set_current_tenant(tenant)
def _set_tenant_in_app(tenant, app, storage_manager, admin_user): """Create a new tenant with `tenant_name`, and set it as the current tenant in the flask app """ storage_manager.put(tenant) utils.set_current_tenant(tenant)