def testModelsForUserRoleAssignment(self): # note -- we may also keep roles in AD, this is for the case # where we sync them or manage them internally. This will # probably need to be configurable user1 = usersmodels.User( user_name = "test", full_name = "test" ) user1.save() role1 = models.RbacRole( name='sysadmin', created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin') ) role1.save() role1 = models.RbacRole.objects.get(name='sysadmin') mapping = models.RbacUserRole( user = user1, role = role1, created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now() ) mapping.save() mappings2 = models.RbacUserRole.objects.filter( user = user1, ) self.assertEquals(len(mappings2), 1, 'correct length') found = mappings2[0] self.assertEquals(found.user.user_name, 'test', 'saved ok') self.assertEquals(found.role.name, 'sysadmin', 'saved ok')
def testModelsForRbacRoles(self): '''verify django models for roles work''' sysadmin = models.RbacRole( name='sysadmin', created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now(), ) sysadmin.save() developer = models.RbacRole( name='developer', created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now() ) developer.save() self.assertEquals(len(models.RbacRole.objects.all()), 3, 'correct number of results' ) developer2 = models.RbacRole.objects.get(name='developer') self.assertEquals(developer2.pk, 3)
def _setupRbac(self): # RbacEngine test base class has already done a decent amount of setup # now just add the grants for the things we are working with role = rbacmodels.RbacRole.objects.get(name='developer') self.all_projects = querymodels.QuerySet.objects.get(name='All Projects') self.all_images = querymodels.QuerySet.objects.get(name='All Images') modmembers = rbacmodels.RbacPermissionType.objects.get(name='ModMembers') readset = rbacmodels.RbacPermissionType.objects.get(name='ReadSet') createresource = rbacmodels.RbacPermissionType.objects.get(name='CreateResource') admin = usermodels.User.objects.get(user_name='admin') for queryset in [ self.all_projects, self.all_images ]: for permission in [ modmembers, createresource, readset ]: rbacmodels.RbacPermission( queryset = queryset, role = role, permission = permission, created_by = admin, modified_by = admin, created_date = timeutils.now(), modified_date = timeutils.now() ).save() self._retagQuerySets()
def mk_permission(queryset, role, action): models.RbacPermission( queryset = queryset, role = models.RbacRole.objects.get(name=role), permission = models.RbacPermissionType.objects.get(name=action), created_by = usersmodels.User.objects.get(user_name='admin'), modified_by = usersmodels.User.objects.get(user_name='admin'), created_date = timeutils.now(), modified_date = timeutils.now() ).save()
def addQuerySetChosen(self, querySetId, resources, by_user): ''' Add a list of matched systems to a chosen query set result list. Deletes all previous matches. ''' # TODO: update transitive items querySet = self._querySet(querySetId) resources_out = getattr(resources, querySet.resource_type) if len(resources_out) > 0: t1 = resources_out[0]._xobj.tag t2 = querySet.resource_type if t1 != t2: raise Exception("attempting to add an object of the wrong type (%s vs %s)" % (t1, t2)) # Delete all previously tagged resources tagModel = modellib.type_map[self.tagModelMap[querySet.resource_type]] tagModel.objects.filter( query_set=querySet, inclusion_method=self._chosenMethod(), ).delete() # Tag new resources tagMethod = self._tagMethod(querySet) tagMethod(resources_out, querySet, self._chosenMethod()) update_args = dict(modified_date=timeutils.now()) if querySet.modified_by != by_user: update_args['modified_by'] = by_user models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args) return self.getQuerySetChosenResult(querySet)
def updateQuerySetChosen(self, querySetId, resource, by_user): ''' Add a resource explicitly to the query set match results. It must be of the same collection type, querysets are not heterogeneous. ''' querySet = self._querySet(querySetId) # we do not update the queryset tag date here because it could # still be stale with respect to child or filtered results tagMethod = self._tagMethod(querySet) # if we support tagging this resource type yet # then tag it, otherwise, basically no-op. t1 = resource._xobj.tag t2 = querySet.resource_type if t1 != t2: raise Exception("attempting to add an object of the wrong type (%s vs %s)" % (t1, t2)) if tagMethod is not None: tagMethod([resource], querySet, self._chosenMethod()) update_args = dict(modified_date=timeutils.now()) if querySet.modified_by != by_user: update_args['modified_by'] = by_user models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args) return self.getQuerySetChosenResult(querySetId)
def updateQuerySet(self, querySet, by_user): '''edit a query set''' if not querySet.can_modify: raise errors.QuerySetReadOnly(querySetName=querySet.name) querySet.tagged_date = None # in case the filter terms changed, evaluate queryset and # all parents so they can contain accurate membership. Transitive # tags must be applied on each so RBAC will be up to date # this will probably be slow, but likely infrequent. to_update = querySet.ancestors() to_update.append(querySet) for qs in to_update: qsAllResult = self._getQuerySetAllResult(qs) self._tagSingleQuerySetTransitive(qs, qsAllResult) self._updateQuerySetTaggedDate(qs) self.getQuerySetAllResult(qs, use_tags=False) # update tag info update_args = dict(modified_date=timeutils.now()) if qs.modified_by != by_user: update_args['modified_by'] = by_user models.QuerySet.objects.filter(pk=qs.pk).update(**update_args) self._recomputeStatic(querySet) querySet.save() return querySet
def deleteQuerySetChild(self, querySetId, queryset, for_user): ''' Remove a child queryset from a queryset ''' source = self._querySet(querySetId) source.children.remove(queryset) source.modified_by = for_user source.modified_date = timeutils.now() source.save() return source
def updateRbacRole(self, old_id, role, by_user): oldRoleId = role.oldModel.xpath("./role_id/text()")[0] old_obj = models.RbacRole.objects.get(pk=oldRoleId) role.created_by = old_obj.created_by if old_obj.created_date is None: raise Exception("ERROR: invalid previous object?") role.created_date = old_obj.created_date role.modified_date = timeutils.now() role.modified_by = by_user role.save() self.mgr.invalidateQuerySetsByType("role") return role
def updateRbacPermission(self, old_id, permission, by_user): oldGrantId = permission.oldModel.xpath("./grant_id/text()")[0] old_obj = models.RbacPermission.objects.get(pk=oldGrantId) if old_obj.created_date is None: raise Exception("ERROR: invalid previous object?") permission.created_by = old_obj.created_by permission.created_date = old_obj.created_date permission.modified_date = timeutils.now() permission.modified_by = by_user permission.save() self.mgr.invalidateQuerySetsByType("grant") return permission
def updateSystem(self, system, for_user=None): last_job = getattr(system, 'lastJob', None) if last_job and last_job.job_state.name == jobmodels.JobState.COMPLETED: # This will update the system state as a side-effect self.addSystem(system, generateCertificates=False, withRetagging=False) self.setSystemStateFromJob(system) if for_user: system.modified_by = for_user system.modified_date = timeutils.now() system.save() self.mgr.invalidateQuerySetsByType('system') return system
def setUp(self): RbacEngine.setUp(self) mock.mock(reposmanager.ReposManager, "createRepositoryForProject") mock.mock(reposmanager.ReposManager, "createSourceTrove") MockProdDef = mock.MockObject() MockProdDef.getImageGroup._mock.setReturn("group-foo-appliance") MockProdDef.loadFromRepository._mock.setReturn(MockProdDef) # Discard mock at the end of the test self.mock(basemanager.BaseRbuilderManager, "restDb", mock.MockObject()) basemanager.BaseRbuilderManager.restDb.getProductVersionDefinitionFromVersion._mock.setDefaultReturn(MockProdDef) mock.mock(manager.ProjectManager, "setProductVersionDefinition") self.mgr = rbuildermanager.RbuilderManager() self.mintConfig = self.mgr.cfg # add sysadmin user with permission to "All Projects" and "All Project Branch Stages" # developer user does NOT have access to these .. skipping XML versions here as these # are well covered in rbac/tests.py role = rbacmodels.RbacRole.objects.get(name='developer') self.all_projects = querymodels.QuerySet.objects.get(name='All Projects') self.all_pbs = querymodels.QuerySet.objects.get(name='All Project Stages') modmembers = rbacmodels.RbacPermissionType.objects.get(name='ModMembers') createresource = rbacmodels.RbacPermissionType.objects.get(name='CreateResource') admin = usersmodels.User.objects.get(user_name='admin') for queryset in [ self.all_projects, self.all_pbs ]: for permission in [ modmembers, createresource ]: rbacmodels.RbacPermission( queryset = queryset, role = role, permission = permission, created_by = admin, modified_by = admin, created_date = timeutils.now(), modified_date = timeutils.now() ).save() self._retagQuerySets()
def testModelsForRbacPermissions(self): size = len(list(querymodels.QuerySet.objects.all())) # TODO: load from queryset fixture? queryset1 = querymodels.QuerySet() queryset1.save() role1 = models.RbacRole( name='sysadmin', created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now() ) role1.save() role1 = models.RbacRole.objects.get(name='sysadmin') action_name = MODSETDEF permission = models.RbacPermission( queryset = queryset1, role = role1, permission = models.RbacPermissionType.objects.get(name=action_name), created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now() ) permission.save() permissions2 = models.RbacPermission.objects.filter( queryset = queryset1, ) self.assertEquals(len(permissions2), 1, 'correct length') found = permissions2[0] self.assertEquals(found.permission.name, action_name, 'saved ok') self.assertEquals(found.queryset.pk, size+1, 'saved ok') self.assertEquals(found.role.name, 'sysadmin', 'saved ok')
def setUp(self): RbacTestCase.setUp(self) self.seed_data = [ 'sysadmin', 'developer', 'intern' ] for item in self.seed_data: models.RbacRole(name=item, created_by = usersmodels.User.objects.get(user_name='admin'), modified_by = usersmodels.User.objects.get(user_name='admin'), created_date = timeutils.now(), modified_date = timeutils.now() ).save() for permission in [ MODMEMBERS, CREATERESOURCE ] : models.RbacPermission( queryset = self.datacenter_queryset, role = models.RbacRole.objects.get(name='sysadmin'), permission = models.RbacPermissionType.objects.get(name=permission), created_by = usersmodels.User.objects.get(user_name='admin'), modified_by = usersmodels.User.objects.get(user_name='admin'), created_date = timeutils.now(), modified_date = timeutils.now() ).save() models.RbacPermission( queryset = self.datacenter_queryset, role = models.RbacRole.objects.get(name='developer'), permission = models.RbacPermissionType.objects.get(name=READMEMBERS), created_by = usersmodels.User.objects.get(user_name='admin'), modified_by = usersmodels.User.objects.get(user_name='admin'), created_date = timeutils.now(), modified_date = timeutils.now() ).save() for permission in [ MODMEMBERS, CREATERESOURCE ] : models.RbacPermission( queryset = self.lab_queryset, role = models.RbacRole.objects.get(name='developer'), permission = models.RbacPermissionType.objects.get(name=permission), created_by = usersmodels.User.objects.get(user_name='admin'), modified_by = usersmodels.User.objects.get(user_name='admin'), created_date = timeutils.now(), modified_date = timeutils.now() ).save()
def deleteQuerySetChosen(self, querySetId, resource, by_user): ''' Remove a resource from a queryset chosen result. ''' # TODO: if for this querySet I'm marked chosen but NOT filtered # set the tagged_date back to NULL so it will be retagged next time querySet = self._querySet(querySetId) tagModel = modellib.type_map[self.tagModelMap[querySet.resource_type]] taggedField = getattr(tagModel, 'tagged_field', querySet.resource_type) resourceArg = {taggedField:resource} tagModels = tagModel.objects.filter(query_set=querySet, inclusion_method=self._chosenMethod(), **resourceArg) tagModels.delete() update_args = dict(modified_date=timeutils.now()) if querySet.modified_by != by_user: update_args['modified_by'] = by_user models.QuerySet.objects.filter(pk=querySet.pk).update(**update_args) return self.getQuerySetChosenResult(querySetId)
def testGrantMatrixForNewRole(self): # RCE-1444 models.RbacRole.objects.create( name='guru', created_by=usersmodels.User.objects.get(user_name='admin'), modified_by=usersmodels.User.objects.get(user_name='admin'), created_date=timeutils.now(), modified_date=timeutils.now() ) response = self._get("query_sets/%s/grant_matrix" % self.targets_queryset.pk, username='******', password='******' ) self.assertEquals(response.status_code, 200) # XXX misa: I am not sure if this output is right, but there was # no test and the code is really horrible self.assertXMLEquals(response.content, """\ <roles count="4" end_index="3" filter_by="" full_collection="" id="http://testserver/api/v1/rbac/roles" limit="999999" next_page="0" num_pages="1" order_by="" per_page="4" previous_page="0" start_index="0"> <role> <createresource_permission> <description>Create Resource</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id> <name>CreateResource</name> <permission_id>5</permission_id> </createresource_permission> <description/> <matrix_role_id>http://testserver/api/v1/rbac/roles/2</matrix_role_id> <modmembers_permission> <description>Modify Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id> <name>ModMembers</name> <permission_id>2</permission_id> </modmembers_permission> <modsetdef_permission> <description>Modify Set Definition</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id> <name>ModSetDef</name> <permission_id>4</permission_id> </modsetdef_permission> <name>sysadmin</name> <readmembers_permission> <description>Read Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id> <name>ReadMembers</name> <permission_id>1</permission_id> </readmembers_permission> <readset_permission> <description>Read Set</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id> <name>ReadSet</name> <permission_id>3</permission_id> </readset_permission> <role_id>2</role_id> </role> <role> <createresource_permission> <description>Create Resource</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id> <name>CreateResource</name> <permission_id>5</permission_id> </createresource_permission> <description/> <matrix_role_id>http://testserver/api/v1/rbac/roles/3</matrix_role_id> <modmembers_permission> <description>Modify Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id> <name>ModMembers</name> <permission_id>2</permission_id> </modmembers_permission> <modsetdef_permission> <description>Modify Set Definition</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id> <name>ModSetDef</name> <permission_id>4</permission_id> </modsetdef_permission> <name>developer</name> <readmembers_permission> <description>Read Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id> <name>ReadMembers</name> <permission_id>1</permission_id> </readmembers_permission> <readset_permission> <description>Read Set</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id> <name>ReadSet</name> <permission_id>3</permission_id> </readset_permission> <role_id>3</role_id> </role> <role> <createresource_permission> <description>Create Resource</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id> <name>CreateResource</name> <permission_id>5</permission_id> </createresource_permission> <description/> <matrix_role_id>http://testserver/api/v1/rbac/roles/4</matrix_role_id> <modmembers_permission> <description>Modify Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id> <name>ModMembers</name> <permission_id>2</permission_id> </modmembers_permission> <modsetdef_permission> <description>Modify Set Definition</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id> <name>ModSetDef</name> <permission_id>4</permission_id> </modsetdef_permission> <name>intern</name> <readmembers_permission> <description>Read Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id> <name>ReadMembers</name> <permission_id>1</permission_id> </readmembers_permission> <readset_permission> <description>Read Set</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id> <name>ReadSet</name> <permission_id>3</permission_id> </readset_permission> <role_id>4</role_id> </role> <role> <createresource_permission> <description>Create Resource</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/5</matrix_permission_id> <name>CreateResource</name> <permission_id>5</permission_id> </createresource_permission> <description/> <matrix_role_id>http://testserver/api/v1/rbac/roles/8</matrix_role_id> <modmembers_permission> <description>Modify Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/2</matrix_permission_id> <name>ModMembers</name> <permission_id>2</permission_id> </modmembers_permission> <modsetdef_permission> <description>Modify Set Definition</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/4</matrix_permission_id> <name>ModSetDef</name> <permission_id>4</permission_id> </modsetdef_permission> <name>guru</name> <readmembers_permission> <description>Read Member Resources</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/1</matrix_permission_id> <name>ReadMembers</name> <permission_id>1</permission_id> </readmembers_permission> <readset_permission> <description>Read Set</description> <matrix_permission_id>http://testserver/api/v1/rbac/permissions/3</matrix_permission_id> <name>ReadSet</name> <permission_id>3</permission_id> </readset_permission> <role_id>8</role_id> </role> </roles> """)
def _updateQuerySetTaggedDate(self, querySet): models.QuerySet.objects.filter(pk=querySet.pk).update(tagged_date=timeutils.now())