def _get_executions(self, **kw): action_ref = kw.get('action', None) if action_ref: action_name = ResourceReference.get_name(action_ref) action_pack = ResourceReference.get_pack(action_ref) del kw['action'] kw['action.name'] = action_name kw['action.pack'] = action_pack return super(ActionExecutionHistoryController, self)._get_all(**kw)
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error( 'Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.' ) return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type( resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = ( RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user( user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type): log_context = { 'user_db': user_db, 'resource_db': resource_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user resource permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles rule_spec = getattr(resource_db, 'rule', None) rule_uid = rule_spec.uid rule_id = rule_spec.id rule_pack = ResourceReference.get_pack(rule_spec.ref) if not rule_uid or not rule_id or not rule_pack: LOG.error('Rule UID or ID or PACK not present in enforcement object. ' + ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) + 'Cannot assess access permissions without it. Defaulting to DENY.') return False # TODO: Add utility methods for constructing uids from parts pack_db = PackDB(ref=rule_pack) rule_pack_uid = pack_db.get_uid() rule_permission_type = None if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW: rule_permission_type = PermissionType.RULE_VIEW elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST: rule_permission_type = PermissionType.RULE_LIST else: raise ValueError('Invalid permission type: %s' % (permission_type)) permission_types = [PermissionType.RULE_ALL, rule_permission_type] view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE, permission_name='view') if rule_permission_type == view_permission_type: permission_types = (RulePermissionsResolver.view_grant_permission_types[:] + [rule_permission_type]) # Check grants on the pack of the rule to which enforcement belongs to resource_types = [ResourceType.PACK] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_pack_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement rule parent pack', extra=log_context) return True # Check grants on the rule the enforcement belongs to resource_types = [ResourceType.RULE] permission_grants = get_all_permission_grants_for_user(user_db=user_db, resource_uid=rule_uid, resource_types=resource_types, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a grant on the enforcement\'s rule.', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False