def GET(self): query_manager = managers.user_query_manager() users = query_manager.find_all() self._process_users(users) return self.ok(users)
def GET(self): role_query_manager = managers.role_query_manager() user_query_manager = managers.user_query_manager() permissions_manager = managers.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [ u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id']) ] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def get(self, request): """ List all roles. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of roles :rtype: django.http.HttpResponse """ role_query_manager = factory.role_query_manager() user_query_manager = factory.user_query_manager() permissions_manager = factory.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id'])] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission link = {'_href': reverse('role_resource', kwargs={'role_id': role['id']})} role.update(link) return generate_json_response_with_pulp_encoder(roles)
def _check_username_password_local(self, username, password=None): """ Check a username and password against the local database. Return None if the username and password are not valid :type username: str :param username: the login of the user :type password: str or None :param password: password of the user, None => do not validate the password :rtype: L{pulp.server.db.model.auth.User} instance or None :return: user corresponding to the credentials """ user_query_manager = factory.user_query_manager() user = user_query_manager.find_by_login(username) if user is None: _logger.debug(_('User [%(u)s] specified in certificate was not found in the system') % {'u': username}) return None if user['password'] is None and password is not None: _logger.debug('This is an ldap user %s' % user) return None if password is not None: if not factory.password_manager().check_password(user['password'], password): _logger.debug('Password for user [%s] was incorrect' % username) return None return user
def add_permissions_to_role(role_id, resource, operations): """ Add permissions to a role. :param role_id: role identifier :type role_id: str :param resource: resource path to grant permissions to :type resource: str :param operations: list or tuple :type operations: list of allowed operations being granted :raise MissingResource: if the given role does not exist """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].setdefault(resource, []) for o in operations: if o in current_ops: continue current_ops.append(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: factory.permission_manager().grant(resource, user['login'], operations) Role.get_collection().save(role, safe=True)
def GET(self): role_query_manager = managers.role_query_manager() user_query_manager = managers.user_query_manager() permissions_manager = managers.permission_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in user_query_manager.find_users_belonging_to_role(role['id'])] resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def test_syntactic_sugar_methods(self): """ Tests the syntactic sugar methods for retrieving specific managers. """ # Setup factory.initialize() # Test self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager)) self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager)) self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager)) self.assertTrue(isinstance(factory.password_manager(), PasswordManager)) self.assertTrue(isinstance(factory.permission_manager(), PermissionManager)) self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager)) self.assertTrue(isinstance(factory.role_manager(), RoleManager)) self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager)) self.assertTrue(isinstance(factory.user_manager(), UserManager)) self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager)) self.assertTrue(isinstance(factory.repo_manager(), RepoManager)) self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager)) self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager)) self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager)) self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager)) self.assertTrue(isinstance(factory.content_manager(), ContentManager)) self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager)) self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager)) self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager)) self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def get(self, request, role_id): """ Retrieve a specific role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the role :rtype: django.http.HttpResponse :raises: MissingResource if role ID does not exist """ role = factory.role_query_manager().find_by_id(role_id) if role is None: raise pulp_exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in factory.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = factory.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission link = {'_href': reverse('role_resource', kwargs={'role_id': role['id']})} role.update(link) return generate_json_response_with_pulp_encoder(role)
def _check_username_password_local(username, password=None): """ Check a username and password against the local database. Return None if the username and password are not valid @type username: str @param username: the login of the user @type password: str or None @param password: password of the user, None => do not validate the password @rtype: L{pulp.server.db.model.User} instance or None @return: user corresponding to the credentials """ user_query_manager = factory.user_query_manager() user = user_query_manager.find_by_login(username) if user is None: _log.error('User [%s] specified in certificate was not found in the system' % username) return None if user['password'] is None and password is not None: _log.error('This is an ldap user %s' % user) return None if password is not None: if not factory.password_manager().check_password(user['password'], password): _log.error('Password for user [%s] was incorrect' % username) return None return user
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] permissions_manager = managers.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission role.update(serialization.link.current_link_obj()) return self.ok(role)
def delete_user(login): """ Deletes the given user. Deletion of last superuser is not permitted. @param login: identifies the user being deleted @type login: str @raise MissingResource: if the given user does not exist @raise InvalidValue: if login value is invalid """ # Raise exception if login is invalid if login is None or invalid_type(login, basestring): raise InvalidValue(['login']) # Check whether user exists found = User.get_collection().find_one({'login': login}) if found is None: raise MissingResource(login) # Make sure user is not the last super user if factory.user_query_manager().is_last_super_user(login): raise PulpDataException(_("The last superuser [%s] cannot be deleted" % login)) # Revoke all permissions from the user permission_manager = factory.permission_manager() permission_manager.revoke_all_permissions_from_user(login) User.get_collection().remove({'login': login})
def add_permissions_to_role(self, role_id, resource, operations): """ Add permissions to a role. @type role_id: str @param role_id: role identifier @type resource: str @param resource: resource path to grant permissions to @type operations: list of allowed operations being granted @param operations: list or tuple @raise MissingResource: if the given role does not exist """ if role_id == self.super_user_role: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].setdefault(resource, []) for o in operations: if o in current_ops: continue current_ops.append(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: factory.permission_manager().grant(resource, user['login'], operations) Role.get_collection().save(role, safe=True)
def GET(self, login): user = managers.user_query_manager().find_by_login(login) if user is None: raise exceptions.MissingResource(login) user.update(serialization.link.current_link_obj()) return self.ok(user)
def _auth_decorator(self, *args, **kwargs): # Check Authentication # Run through each registered and enabled auth function is_consumer = False registered_auth_functions = [check_preauthenticated, password_authentication, user_cert_authentication, consumer_cert_authentication, oauth_authentication] user_authenticated = False for authenticate_user in registered_auth_functions: if authenticate_user == oauth_authentication: userid, is_consumer = authenticate_user() else: userid = authenticate_user() if userid is not None: user_authenticated = True if authenticate_user == consumer_cert_authentication: is_consumer = True break if not user_authenticated: raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025) # Check Authorization principal_manager = factory.principal_manager() user_query_manager = factory.user_query_manager() if super_user_only and not user_query_manager.is_superuser(userid): raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) # if the operation is None, don't check authorization elif operation is not None: if is_consumer: if is_consumer_authorized(http.resource_path(), userid, operation): # set default principal = SYSTEM principal_manager.set_principal() else: raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) elif user_query_manager.is_authorized(http.resource_path(), userid, operation): user = user_query_manager.find_by_login(userid) principal_manager.set_principal(user) else: raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) # Authentication and authorization succeeded. Call method and then clear principal. value = method(self, *args, **kwargs) principal_manager.clear_principal() return value
def GET(self, login): user = managers.user_query_manager().find_by_login(login) if user is None: raise exceptions.MissingResource(login) user.update(serialization.link.current_link_obj()) self.process_dictionary_against_whitelist(user, USER_WHITELIST) return self.ok(user)
def _auth_decorator(self, *args, **kwargs): # Check Authentication # Run through each registered and enabled auth function is_consumer = False registered_auth_functions = [ check_preauthenticated, password_authentication, user_cert_authentication, consumer_cert_authentication, oauth_authentication ] user_authenticated = False for authenticate_user in registered_auth_functions: if authenticate_user == oauth_authentication: userid, is_consumer = authenticate_user() else: userid = authenticate_user() if userid is not None: user_authenticated = True if authenticate_user == consumer_cert_authentication: is_consumer = True break if not user_authenticated: raise AuthenticationFailed(auth_utils.CODE_FAILED) # Check Authorization principal_manager = factory.principal_manager() user_query_manager = factory.user_query_manager() if super_user_only and not user_query_manager.is_superuser(userid): raise AuthenticationFailed(auth_utils.CODE_PERMISSION) # if the operation is None, don't check authorization elif operation is not None: if is_consumer: if is_consumer_authorized(http.resource_path(), userid, operation): # set default principal = SYSTEM principal_manager.set_principal() else: raise AuthenticationFailed(auth_utils.CODE_PERMISSION) elif user_query_manager.is_authorized(http.resource_path(), userid, operation): user = user_query_manager.find_by_login(userid) principal_manager.set_principal(user) else: raise AuthenticationFailed(auth_utils.CODE_PERMISSION) # Authentication and authorization succeeded. Call method and then clear principal. value = method(self, *args, **kwargs) principal_manager.clear_principal() return value
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def setUp(self): super(UserManagerTests, self).setUp() # Hardcoded to /var/lib/pulp, so change here to avoid permissions issues self.default_sn_path = SerialNumber.PATH SerialNumber.PATH = '/tmp/sn.dat' sn = SerialNumber() sn.reset() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.cert_generation_manager = manager_factory.cert_generation_manager()
def setUp(self): super(UserManagerTests, self).setUp() # Hardcoded to /var/lib/pulp, so change here to avoid permissions issues self.default_sn_path = SerialNumber.PATH SerialNumber.PATH = '/tmp/sn.dat' sn = SerialNumber() sn.reset() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.cert_generation_manager = manager_factory.cert_generation_manager()
def setUp(self): super(AuthControllersTests, self).setUp() self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager( ) self.password_manager = manager_factory.password_manager() self.role_manager.ensure_super_user_role() self.user_manager.ensure_admin()
def setUp(self): super(PermissionManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def setUp(self): super(RoleManagerTests, self).setUp() self.alpha_num = string.letters + string.digits self.user_manager = manager_factory.user_manager() self.user_query_manager = manager_factory.user_query_manager() self.role_manager = manager_factory.role_manager() self.role_query_manager = manager_factory.role_query_manager() self.permission_manager = manager_factory.permission_manager() self.permission_query_manager = manager_factory.permission_query_manager() self.role_manager.ensure_super_user_role() manager_factory.principal_manager().clear_principal()
def get_admins(): """ Get a list of users with the super-user role. :return: list of users who are admins. :rtype: list of User """ user_query_manager = factory.user_query_manager() try: super_users = user_query_manager.find_users_belonging_to_role(SUPER_USER_ROLE) return super_users except MissingResource: return None
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role, safe=True)
def get(self, request, role_id): """ List Users belonging to a role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the users :rtype: django.http.HttpResponse """ user_query_manager = factory.user_query_manager() role_users = user_query_manager.find_users_belonging_to_role(role_id) return generate_json_response_with_pulp_encoder(role_users)
def GET(self): role_query_manager = managers.role_query_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [operation_to_name(o) for o in operations] for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = managers.permission_manager() for resource, operations in role['permissions'].items(): role['permissions'][resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role.update(serialization.link.current_link_obj()) return self.ok(role)
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role, safe=True)
def get(self, request): """ List all users. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of users :rtype: django.http.HttpResponse """ query_manager = factory.user_query_manager() users = query_manager.find_all() for user in users: serialize(user) return generate_json_response_with_pulp_encoder(users)
def add_permissions_to_role(role_id, resource, operations): """ Add permissions to a role. :param role_id: role identifier :type role_id: str :param resource: resource path to grant permissions to :type resource: str :param operations: list or tuple :type operations: list of allowed operations being granted :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) if not role['permissions']: role['permissions'] = [] resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not resource_permission: resource_permission = dict(resource=resource, permission=current_ops) role['permissions'].append(resource_permission) for o in operations: if o in current_ops: continue current_ops.append(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: factory.permission_manager().grant(resource, user['login'], operations) Role.get_collection().save(role, safe=True)
def remove_permissions_from_role(self, role_id, resource, operations): """ Remove permissions from a role. @type role_id: str @param role_id: role identifier @type resource: str @param resource: resource path to revoke permissions from @type operations: list of allowed operations being revoked @param operations: list or tuple @raise MissingResource: if the given role does not exist """ if role_id == self.super_user_role: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].get(resource, []) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role( role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: del role['permissions'][resource] Role.get_collection().save(role, safe=True)
def get(self, request): """ List all users. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of users :rtype: django.http.HttpResponse """ query_manager = factory.user_query_manager() users = query_manager.find_all() for user in users: add_link(user) process_dictionary_against_whitelist(user, USER_WHITELIST) return generate_json_response_with_pulp_encoder(users)
def GET(self): role_query_manager = managers.role_query_manager() roles = role_query_manager.find_all() for role in roles: role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [ operation_to_name(o) for o in operations ] for role in roles: role.update(serialization.link.child_link_obj(role['id'])) return self.ok(roles)
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users = factory.user_query_manager().find_users_belonging_to_role( role_id) for item in role['permissions']: for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user['login'], user_ops) for user in users: user['roles'].remove(role_id) factory.user_manager().update_user(user['login'], Delta(user, 'roles')) Role.get_collection().remove({'id': role_id}, safe=True)
def get(self, resuest, login): """ Retrieve a specific user. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param login: login for the requested user :type login: str :return: Response containing the user :rtype: django.http.HttpResponse :raises: MissingResource if login does not exist """ user = factory.user_query_manager().find_by_login(login) if user is None: raise pulp_exceptions.MissingResource(login) user = serialize(user) return generate_json_response_with_pulp_encoder(user)
def test_get(self): # Setup user_query_manager = manager_factory.user_query_manager() cert_generation_manager = manager_factory.cert_generation_manager() user = user_query_manager.find_by_login(login='******') # Test status, body = self.post('/v2/actions/login/') # Verify self.assertEqual(200, status) certificate = manager_factory.certificate_manager(content=str(body['key']+body['certificate'])) cn = certificate.subject()['CN'] username, id = cert_generation_manager.decode_admin_user(cn) self.assertEqual(username, user['login']) self.assertEqual(id, user['id'])
def remove_user_from_role(self, role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. @type role_id: str @param role_id: role identifier @type login: str @param login: name of user @rtype: bool @return: True on success @raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login': login}) if user is None: raise MissingResource(login) if role_id == self.super_user_role and factory.user_query_manager( ).is_last_super_user(login): raise PulpDataException( _('%s cannot be empty, and %s is the last member') % (self.super_user_role, login)) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for resource, operations in role['permissions'].items(): other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, login, user_ops)
def add_permissions_to_role(role_id, resource, operations): """ Add permissions to a role. :param role_id: role identifier :type role_id: str :param resource: resource path to grant permissions to :type resource: str :param operations: list or tuple :type operations: list of allowed operations being granted :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) if not role['permissions']: role['permissions'] = [] resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not resource_permission: resource_permission = dict(resource=resource, permission=current_ops) role['permissions'].append(resource_permission) for o in operations: if o in current_ops: continue current_ops.append(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: factory.permission_manager().grant(resource, user['login'], operations) Role.get_collection().save(role, safe=True)
def GET(self, role_id): manager = managers.role_query_manager() role = manager.find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [ u['login'] for u in managers.user_query_manager(). find_users_belonging_to_role(role['id']) ] for resource, operations in role['permissions'].items(): role['permissions'][resource] = [ operation_to_name(o) for o in operations ] role.update(serialization.link.current_link_obj()) return self.ok(role)
def remove_permissions_from_role(self, role_id, resource, operations): """ Remove permissions from a role. @type role_id: str @param role_id: role identifier @type resource: str @param resource: resource path to revoke permissions from @type operations: list of allowed operations being revoked @param operations: list or tuple @raise MissingResource: if the given role does not exist """ if role_id == self.super_user_role: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id' : role_id}) if role is None: raise MissingResource(role_id) current_ops = role['permissions'].get(resource, []) if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = factory.user_query_manager().find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, user['login'], user_ops) # in no more allowed operations, remove the resource if not current_ops: del role['permissions'][resource] Role.get_collection().save(role, safe=True)
def remove_user_from_role(role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. :param role_id: role identifier :type role_id: str :param login: name of user :type login: str :raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login': login}) if user is None: raise MissingResource(login) if role_id == SUPER_USER_ROLE and factory.user_query_manager( ).is_last_super_user(login): raise PulpDataException( _('%(role)s cannot be empty, and %(login)s is the last member') % { 'role': SUPER_USER_ROLE, 'login': login }) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for item in role['permissions']: other_roles = factory.role_query_manager().get_other_roles( role, user['roles']) user_ops = _operations_not_granted_by_roles( item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], login, user_ops)
def test_get(self): # Setup user_query_manager = manager_factory.user_query_manager() cert_generation_manager = manager_factory.cert_generation_manager() user = user_query_manager.find_by_login(login='******') # Test status, body = self.post('/v2/actions/login/') # Verify self.assertEqual(200, status) certificate = manager_factory.certificate_manager( content=str(body['key'] + body['certificate'])) cn = certificate.subject()['CN'] username, id = cert_generation_manager.decode_admin_user(cn) self.assertEqual(username, user['login']) self.assertEqual(id, user['id'])
def remove_user_from_role(self, role_id, login): """ Remove a user from a role. This has the side-effect of revoking all the permissions granted to the role from the user, unless the permissions are also granted by another role. @type role_id: str @param role_id: role identifier @type login: str @param login: name of user @rtype: bool @return: True on success @raise MissingResource: if the given role or user does not exist """ role = Role.get_collection().find_one({'id' : role_id}) if role is None: raise MissingResource(role_id) user = User.get_collection().find_one({'login' : login}) if user is None: raise MissingResource(login) if role_id == self.super_user_role and factory.user_query_manager().is_last_super_user(login): raise PulpDataException(_('%s cannot be empty, and %s is the last member') % (self.super_user_role, login)) if role_id not in user['roles']: return user['roles'].remove(role_id) User.get_collection().save(user, safe=True) for resource, operations in role['permissions'].items(): other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, login, user_ops)
def GET(self, role_id): role = managers.role_query_manager().find_by_id(role_id) if role is None: raise exceptions.MissingResource(role_id) role['users'] = [u['login'] for u in managers.user_query_manager().find_users_belonging_to_role(role['id'])] permissions_manager = managers.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role['permissions'] = resource_permission role.update(serialization.link.current_link_obj()) return self.ok(role)
def ensure_admin(self): """ This function ensures that there is at least one super user for the system. If no super users are found, the default admin user (from the pulp config) is looked up or created and added to the super users role. """ user_query_manager = factory.user_query_manager() role_manager = factory.role_manager() super_users = user_query_manager.find_users_belonging_to_role(role_manager.super_user_role) if super_users: return default_login = config.config.get('server', 'default_login') admin = User.get_collection().find_one({'login' : default_login}) if admin is None: default_password = config.config.get('server', 'default_password') admin = factory.user_manager().create_user(login=default_login, password=default_password) role_manager.add_user_to_role(role_manager.super_user_role, default_login)
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users = factory.user_query_manager().find_users_belonging_to_role(role_id) for item in role['permissions']: for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user['roles']) user_ops = _operations_not_granted_by_roles(item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user['login'], user_ops) for user in users: user['roles'].remove(role_id) factory.user_manager().update_user(user['login'], Delta(user, 'roles')) Role.get_collection().remove({'id': role_id}, safe=True)
def _check_username_password_ldap(username, password=None): """ Check a username and password against the ldap server. Return None if the username and password are not valid @type username: str @param username: the login of the user @type password: str or None @param password: password of the user, None => do not validate the password @rtype: L{pulp.server.db.model.User} instance or None @return: user corresponding to the credentials """ ldap_uri = "ldap://localhost" if config.has_option('ldap', 'uri'): ldap_uri = config.get("ldap", "uri") else: _log.info("No valid server found, default to localhost") ldap_base = "dc=localhost" if config.has_option('ldap', 'base'): ldap_base = config.get('ldap', 'base') else: _log.info("No valid base found, default to localhost") ldap_filter = None if config.has_option('ldap', 'filter'): ldap_filter = config.get('ldap', 'filter') ldap_tls = False if config.has_option('ldap', 'tls'): ldap_tls = config.getboolean('ldap', 'tls') ldap_server = ldap_connection.LDAPConnection(server=ldap_uri, tls=ldap_tls) ldap_server.connect() user = None if password is not None: user = ldap_server.authenticate_user(ldap_base, username, password, filter=ldap_filter) else: user_query_manager = factory.user_query_manager() user = user_query_manager.find_by_login(username) if user is None: return None return user
def ensure_admin(self): """ This function ensures that there is at least one super user for the system. If no super users are found, the default admin user (from the pulp config) is looked up or created and added to the super users role. """ user_query_manager = factory.user_query_manager() role_manager = factory.role_manager() super_users = user_query_manager.find_users_belonging_to_role( SUPER_USER_ROLE) if super_users: return default_login = config.config.get('server', 'default_login') admin = User.get_collection().find_one({'login': default_login}) if admin is None: default_password = config.config.get('server', 'default_password') admin = UserManager.create_user(login=default_login, password=default_password) role_manager.add_user_to_role(SUPER_USER_ROLE, default_login)
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs): """ Internal method for checking authentication and authorization. This code is kept outside of the decorator which calls it so that it can be mocked. This allows for the decorator itself which calls here to have assertions made about the operation and super_user values set in the view code. An operation of None means not to check authorization; only check authentication. The super_user_only flag set to True means that only members of the built in SuperUsers role are authorized. :type operation: int or None :param operation: The operation a user needs permission for, or None to skip authorization. :type super_user_only: bool :param super_user_only: Only authorize a user if they are a super user. """ # Check Authentication # Run through each registered and enabled auth function is_consumer = False registered_auth_functions = [ check_preauthenticated, password_authentication, user_cert_authentication, consumer_cert_authentication, oauth_authentication ] user_authenticated = False for authenticate_user in registered_auth_functions: if authenticate_user == oauth_authentication: userid, is_consumer = authenticate_user() else: userid = authenticate_user() if userid is not None: user_authenticated = True if authenticate_user == consumer_cert_authentication: is_consumer = True break if not user_authenticated: raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025) # Check Authorization principal_manager = factory.principal_manager() user_query_manager = factory.user_query_manager() if super_user_only and not user_query_manager.is_superuser(userid): raise PulpCodedAuthenticationException( error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) # if the operation is None, don't check authorization elif operation is not None: if is_consumer: if is_consumer_authorized(http.resource_path(), userid, operation): # set default principal = SYSTEM principal_manager.set_principal() else: raise PulpCodedAuthenticationException( error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) elif user_query_manager.is_authorized(http.resource_path(), userid, operation): user = user_query_manager.find_by_login(userid) principal_manager.set_principal(user) else: raise PulpCodedAuthenticationException( error_code=error_codes.PLP0026, user=userid, operation=OPERATION_NAMES[operation]) # Authentication and authorization succeeded. Call method and then clear principal. value = method(self, *args, **kwargs) principal_manager.clear_principal() return value