def _verify_tenant(uri):
tenanted_resources = [
FILE_SERVER_BLUEPRINTS_FOLDER,
FILE_SERVER_UPLOADED_BLUEPRINTS_FOLDER,
FILE_SERVER_DEPLOYMENTS_FOLDER, FILE_SERVER_TENANT_RESOURCES_FOLDER
]
tenanted_resources = [r.strip('/') for r in tenanted_resources]
uri = uri.strip('/')
# verifying that the only tenant that can be accessed is the one in
# the header
for resource in tenanted_resources:
if uri.startswith(resource):
# Example of uri: 'blueprints/default_tenant/blueprint_1/
# scripts/configure.sh'
_, uri_tenant = uri.split('/', 2)[:2]
authenticator.authenticate(request)
# if it's global blueprint - no need or tenant verification
# first load requested tenant to config then check if global
tenant = get_storage_manager().get(
models.Tenant, uri_tenant, filters={'name': uri_tenant})
utils.set_current_tenant(tenant)
if FileServerAuth._is_global_blueprint(uri):
return
@authorize('file_server_auth', uri_tenant)
def _authorize():
pass
_authorize()
return
def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params({
'tenant_name': {
'type': unicode
}
}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# extracting tenant roles for user in the tenant
tenant_roles = []
for t in current_user.all_tenants:
if (allow_all_tenants and request_use_all_tenants()) \
or t.name == tenant_name:
tenant_roles += current_user.all_tenants[t]
# joining user's system role with his tenant roles
user_roles = [role.name for role in tenant_roles] \
+ current_user.system_roles
# getting the roles allowed to perform requested action
action_roles = config.instance.authorization_permissions[action]
# checking if any of the user's roles is allowed to perform action
for user_role in user_roles:
if user_role in action_roles:
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def _handle_default_db_config():
Migrate(app=server.app, db=server.db)
try:
upgrade(directory=MIGRATION_DIR)
except sqlalchemy.exc.OperationalError:
logger = logging.getLogger()
logger.error("Could not connect to the database - is a "
"postgresql server running on localhost?")
logger.error("HINT: Create a docker container running postgresql "
"by doing `docker run --name cloudify-db-unit-test "
"-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 "
"-d postgres`")
raise
admin_user = get_admin_user()
fd, temp_auth_file = tempfile.mkstemp()
os.close(fd)
with open(temp_auth_file, 'w') as f:
yaml.dump(auth_dict, f)
try:
# We're mocking the AMQPManager, we aren't really using Rabbit here
default_tenant = create_default_user_tenant_and_roles(
admin_username=admin_user['username'],
admin_password=admin_user['password'],
amqp_manager=MagicMock(),
authorization_file_path=temp_auth_file
)
default_tenant.rabbitmq_username = \
'rabbitmq_username_default_tenant'
default_tenant.rabbitmq_vhost = \
'rabbitmq_vhost_defualt_tenant'
default_tenant.rabbitmq_password = \
'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \
'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \
'G6jxqQDeEf5Heos0ia4Q5H '
for reporter in get_status_reporters():
create_status_reporter_user_and_assign_role(
reporter['username'],
reporter['password'],
reporter['role'],
reporter['id']
)
if premium_enabled:
# License is required only when working with Cloudify Premium
upload_mock_cloudify_license(get_storage_manager())
finally:
os.remove(temp_auth_file)
utils.set_current_tenant(default_tenant)
def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params(
{'tenant_name': {'type': unicode}}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant,
tenant_name,
filters={'name': tenant_name}
)
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name)
)
if not current_user.active:
raise ForbiddenError(
'Authorization failed: '
'User `{0}` is deactivated'.format(current_user.username)
)
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# checking if any of the user's roles is allowed to perform action
if is_user_action_allowed(action, tenant_name, allow_all_tenants):
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params({
'tenant_name': {
'type': text_type
}
}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name))
if not current_user.active:
raise ForbiddenError('Authorization failed: '
'User `{0}` is deactivated'.format(
current_user.username))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# checking if any of the user's roles is allowed to perform action
if is_user_action_allowed(action, tenant_name, allow_all_tenants):
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def _handle_default_db_config():
Migrate(app=server.app, db=server.db)
try:
upgrade(directory=MIGRATION_DIR)
except sqlalchemy.exc.OperationalError:
logger = logging.getLogger()
logger.error("Could not connect to the database - is a "
"postgresql server running on localhost?")
logger.error("HINT: Create a docker container running postgresql "
"by doing `docker run --name cloudify-db-unit-test "
"-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 "
"-d postgres`")
raise
admin_user = get_admin_user()
fd, temp_auth_file = tempfile.mkstemp()
os.close(fd)
with open(temp_auth_file, 'w') as f:
yaml.dump(auth_dict, f)
try:
# We're mocking the AMQPManager, we aren't really using Rabbit here
default_tenant = create_default_user_tenant_and_roles(
admin_username=admin_user['username'],
admin_password=admin_user['password'],
amqp_manager=MagicMock(),
authorization_file_path=temp_auth_file
)
default_tenant.rabbitmq_password = \
'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \
'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \
'G6jxqQDeEf5Heos0ia4Q5H '
if premium_enabled:
# License is required only when working with Cloudify Premium
upload_mock_cloudify_license(get_storage_manager())
finally:
os.remove(temp_auth_file)
utils.set_current_tenant(default_tenant)
def _handle_default_db_config(server):
server.db.create_all()
admin_user = get_admin_user()
fd, temp_auth_file = tempfile.mkstemp()
os.close(fd)
with open(temp_auth_file, 'w') as f:
yaml.dump(auth_dict, f)
try:
# We're mocking the AMQPManager, we aren't really using Rabbit here
default_tenant = create_default_user_tenant_and_roles(
admin_username=admin_user['username'],
admin_password=admin_user['password'],
amqp_manager=MagicMock(),
authorization_file_path=temp_auth_file)
finally:
os.remove(temp_auth_file)
utils.set_current_tenant(default_tenant)
def _handle_default_db_config():
try:
server.db.create_all()
except sqlalchemy.exc.OperationalError:
logger = logging.getLogger()
logger.error("Could not connect to the database - is a "
"postgresql server running on localhost?")
logger.error("HINT: Create a docker container running postgresql "
"by doing `docker run --name cloudify-db-unit-test "
"-e POSTGRES_PASSWORD=cloudify -e POSTGRES_USER="******"cloudify -e POSTGRES_DB=cloudify_db -p 5432:5432 "
"-d postgres`")
raise
admin_user = get_admin_user()
fd, temp_auth_file = tempfile.mkstemp()
os.close(fd)
with open(temp_auth_file, 'w') as f:
yaml.dump(auth_dict, f)
try:
# We're mocking the AMQPManager, we aren't really using Rabbit here
default_tenant = create_default_user_tenant_and_roles(
admin_username=admin_user['username'],
admin_password=admin_user['password'],
amqp_manager=MagicMock(),
authorization_file_path=temp_auth_file
)
default_tenant.rabbitmq_password = \
'gAAAAABb9p7U_Lnlmg7vyijjoxovyg215ThYi-VCTCzVYa1p-vpzi31WGko' \
'KD_hK1mQyKgjRss_Nz-3m-cgHpZChnVT4bxZIjnOnL6sF8RtozvlRoGHtnF' \
'G6jxqQDeEf5Heos0ia4Q5H '
finally:
os.remove(temp_auth_file)
utils.set_current_tenant(default_tenant)
def set_tenant_in_app(tenant):
"""Set the tenant as the current tenant in the flask app.
Requires app context (using `with app.app_context()` or push as returned
by setup_flask_app"""
utils.set_current_tenant(tenant)
def set_tenant_in_app(tenant):
"""Set the tenant as the current tenant in the flask app.
Requires app context (using `with app.app_context()` or push as returned
by setup_flask_app"""
utils.set_current_tenant(tenant)
def _set_tenant_in_app(tenant, app, storage_manager, admin_user):
"""Create a new tenant with `tenant_name`, and set it as the current
tenant in the flask app
"""
storage_manager.put(tenant)
utils.set_current_tenant(tenant)
