def main():
    lines = []
    lines.append(HEADER)
    lines.append('')

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace('_', ' ').title()  # pylint: disable=no-member
        lines.append('%s' % (resource_title))
        lines.append('~' * len(resource_title))
        lines.append('')

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append([permission_type, description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split('\n'))
        lines.append('')

    result = '\n'.join(lines)
    with open(DESTINATION_PATH, 'w') as fp:
        fp.write(result)

    print('Generated: %s' % (DESTINATION_PATH))
    return result
def main():
    lines = []
    lines.append(HEADER)
    lines.append("")

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace("_", " ").title()  # pylint: disable=no-member
        lines.append("%s" % (resource_title))
        lines.append("~" * len(resource_title))
        lines.append("")

        permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append(["**%s**" % (permission_type), description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split("\n"))
        lines.append("")

    result = "\n".join(lines)
    with open(DESTINATION_PATH, "w") as fp:
        fp.write(result)

    print("Generated: %s" % (DESTINATION_PATH))
    return result
示例#3
0
文件: resolvers.py 项目: hejin/st2
    def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
        log_context = {
            'user_db': user_db,
            'pack_uid': pack_uid,
            'resource_uid': resource_uid,
            'resource_type': self.resource_type,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                  permission_name='view')
        all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                 permission_name='all')

        if permission_type == view_permission_type:
            # Note: Some permissions such as "create", "modify", "delete" and "execute" also
            # grant / imply "view" permission
            permission_types = self.view_grant_permission_types[:] + [permission_type]
        elif permission_type not in all_permission_type:
            permission_types = [all_permission_type, permission_type]
        else:
            permission_types = [permission_type]

        # Check direct grants on the specified resource
        resource_types = [self.resource_type]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=resource_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant on the action', extra=log_context)
            return True

        # Check grants on the parent pack
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=pack_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the action parent pack', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
示例#4
0
 def test_get_permission_type(self):
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='view'),
                     PermissionType.ACTION_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='all'),
                     PermissionType.ACTION_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='execute'),
                     PermissionType.ACTION_EXECUTE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='view'),
                     PermissionType.RULE_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='delete'),
                     PermissionType.RULE_DELETE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='view'),
                     PermissionType.SENSOR_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='all'),
                     PermissionType.SENSOR_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='modify'),
                     PermissionType.SENSOR_MODIFY)
     self.assertEqual(
         PermissionType.get_permission_type(resource_type=ResourceType.RULE_ENFORCEMENT,
                                            permission_name='view'),
         PermissionType.RULE_ENFORCEMENT_VIEW)
示例#5
0
文件: test_rbac.py 项目: agilee/st2
    def test_get_valid_permission_for_resource_type(self):
        valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.ACTION
        )

        for name in valid_action_permissions:
            self.assertTrue(name.startswith(ResourceType.ACTION + "_"))

        valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(resource_type=ResourceType.RULE)

        for name in valid_rule_permissions:
            self.assertTrue(name.startswith(ResourceType.RULE + "_"))
    def test_user_has_resource_db_permission(self):
        resolver = WebhookPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.WEBHOOK)

        # Admin user, should always return true
        resource_db = self.resources['webhook_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "webhook_send" grant on webhook_1
        user_db = self.users['custom_role_webhook_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.WEBHOOK_SEND)

        permission_types = [
            PermissionType.WEBHOOK_CREATE,
            PermissionType.WEBHOOK_DELETE,
            PermissionType.WEBHOOK_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
示例#7
0
文件: resolvers.py 项目: hejin/st2
    def _user_has_list_permission(self, user_db, permission_type):
        """
        Common method for checking if a user has specific "list" resource permission (e.g.
        rules_list, action_list, etc.).
        """
        assert PermissionType.get_permission_name(permission_type) == 'list'

        log_context = {
            'user_db': user_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        permission_types = [permission_type]

        # Check direct grants
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
示例#8
0
文件: rbac.py 项目: KenMercusLai/st2
    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = ('Invalid permission type "%s". Only "list" permission types '
                                   'can be used without a resource id' % (permission_type))
                        raise ValueError(message)

            return cleaned
示例#9
0
文件: resolvers.py 项目: hejin/st2
 def _get_all_permission_type_for_resource(self, resource_db):
     """
     Retrieve "ALL" permission type for the provided resource.
     """
     resource_type = resource_db.get_resource_type()
     permission_type = PermissionType.get_permission_type(resource_type=resource_type,
                                                          permission_name='all')
     return permission_type
示例#10
0
文件: resolvers.py 项目: hejin/st2
def get_resolver_for_permission_type(permission_type):
    """
    Return resolver instance for the provided permission type.

    :rtype: Instance of :class:`PermissionsResolver`
    """
    resource_type = PermissionType.get_resource_type(permission_type=permission_type)
    resolver_instance = get_resolver_for_resource_type(resource_type=resource_type)
    return resolver_instance
示例#11
0
    def test_user_has_resource_db_permission(self):
        resolver = RunnerPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RUNNER)

        # Admin user, should always return true
        resource_db = self.resources['runner_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "runner_view" grant on runner_1
        resource_db = self.resources['runner_1']
        user_db = self.users['custom_role_runner_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_VIEW)

        permission_types = [
            PermissionType.RUNNER_MODIFY,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "runner_modify" grant on runner_2
        resource_db = self.resources['runner_2']
        user_db = self.users['custom_role_runner_modify_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_MODIFY)

        permission_types = [
            PermissionType.RUNNER_VIEW,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
示例#12
0
文件: rbac.py 项目: rlugojr/st2
def _validate_permission_types(resource_db, permission_types):
    """
    Validate that the permission_types list only contains valid values for the
    provided resource.
    """
    resource_db = _validate_resource_type(resource_db=resource_db)
    resource_type = resource_db.get_resource_type()
    valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type)

    for permission_type in permission_types:
        if permission_type not in valid_permission_types:
            raise ValueError("Invalid permission type: %s" % (permission_type))

    return permission_types
示例#13
0
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST),
                      'list')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
                      'create')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
                      'delete')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
                      'modify')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
                      'execute')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.RULE_ENFORCEMENT_LIST),
                      'list')
    def test_user_has_resource_db_permissions(self):
        # Note: Right now we don't support granting permissions on key value items so we just check
        # that the method always returns True
        resolver = KeyValuePermissionsResolver()

        # No roles
        user_db = self.users['no_roles']
        resource_db = self.resources['kvp_1']

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.KEY_VALUE_PAIR)
        for permission_type in permission_types:
            self.assertTrue(resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=permission_type))
示例#15
0
文件: resolvers.py 项目: hejin/st2
    def _user_has_system_role_permission(self, user_db, permission_type):
        """
        Check the user system roles and return True if user has the required permission.

        :rtype: ``bool``
        """
        permission_name = PermissionType.get_permission_name(permission_type)

        user_role_dbs = get_roles_for_user(user_db=user_db)
        user_role_names = [role_db.name for role_db in user_role_dbs]

        if SystemRole.SYSTEM_ADMIN in user_role_names:
            # System admin has all the permissions
            return True
        elif SystemRole.ADMIN in user_role_names:
            # Admin has all the permissions
            return True
        elif SystemRole.OBSERVER in user_role_names and permission_name in READ_PERMISSION_NAMES:
            # Observer role has "view" permission on all the resources
            return True

        return False
示例#16
0
文件: rbac.py 项目: jspittman/st2
    def validate(self):
        # Parent JSON schema validation
        super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources['rule_enforcement_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_3'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_enforcement_1']

        # "modify" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
示例#18
0
文件: test_rbac.py 项目: agilee/st2
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")
示例#19
0
文件: test_rbac.py 项目: agilee/st2
 def test_get_resource_type(self):
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL), ResourceType.PACK)
示例#20
0
    def test_user_has_resource_db_permission(self):
        resolver = InquiryPermissionsResolver()

        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.INQUIRY)
        all_permission_types.remove(PermissionType.INQUIRY_LIST)

        # Admin user, should always return true
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # View user should be able to view
        user_db = self.users['custom_role_inquiry_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        # Respond user should be able to respond
        user_db = self.users['custom_role_inquiry_respond_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)

        # ALL user should have all db perms
        user_db = self.users['custom_role_inquiry_all_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # Now to test inheritance from action_execution for parent workflow.
        # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver
        # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving
        # that the effective permission is inherited.
        user_db = self.users['custom_role_inquiry_inherit']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_2'],
            permission_type=PermissionType.INQUIRY_RESPOND)
示例#21
0
    def test_user_has_resource_permissions(self):
        resolver = SensorPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.SENSOR)

        # Admin user, should always return true
        resource_db = self.resources['sensor_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_sensor_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with a direct grant on sensor
        user_db = self.users['custom_role_sensor_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_ALL))

        # Custom role - "sensor_all" grant on the sensor parent pack
        user_db = self.users['custom_role_pack_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "sensor_all" grant on the sensor
        user_db = self.users['custom_role_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
示例#22
0
    def test_get_resource_type(self):
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_LIST),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_VIEW),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_CREATE),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_MODIFY),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_DELETE),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL),
                         SystemType.PACK)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_LIST),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_VIEW),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_MODIFY),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_ALL),
                         SystemType.SENSOR_TYPE)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_LIST),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_VIEW),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_MODIFY),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_EXECUTE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL),
                         SystemType.ACTION)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_LIST),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_VIEW),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_RE_RUN),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_STOP),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_ALL),
                         SystemType.EXECUTION)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_LIST),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_VIEW),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_CREATE),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_MODIFY),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_DELETE),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ALL),
                         SystemType.RULE)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_LIST),
                         SystemType.RULE_ENFORCEMENT)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_VIEW),
                         SystemType.RULE_ENFORCEMENT)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_VIEW),
                         SystemType.KEY_VALUE_PAIR)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_SET),
                         SystemType.KEY_VALUE_PAIR)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_DELETE),
                         SystemType.KEY_VALUE_PAIR)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_CREATE),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_SEND),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_DELETE),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_ALL),
                         SystemType.WEBHOOK)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_LIST),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_VIEW),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_CREATE),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_DELETE),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_ALL),
                         SystemType.API_KEY)
示例#23
0
    def test_user_has_resource_db_permission(self):
        resolver = ActionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.ACTION)

        # Admin user, should always return true
        resource_db = self.resources['action_1']
        user_db = self.users['admin']

        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_MODIFY)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_DELETE)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_action_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with a direct grant on action
        user_db = self.users['custom_role_action_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role - "action_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_execute" grant on action_1
        user_db = self.users['custom_role_action_execute_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_EXECUTE)

        # "execute" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_VIEW)

        permission_types = [
            PermissionType.ACTION_CREATE,
            PermissionType.ACTION_MODIFY,
            PermissionType.ACTION_DELETE
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
示例#24
0
    def test_user_has_resource_permissions(self):
        resolver = ExecutionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.EXECUTION)

        # Admin user, should always return true
        resource_db = self.resources['exec_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_STOP))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_ALL))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with an action_view grant on unrelated pack, should return false for
        # everything
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack, should return false for
        # everything
        user_db = self.users['custom_role_pack_action_grant_unrelated_permission']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with "action_view" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_view" grant on the action the resource belongs to
        user_db = self.users['custom_role_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_execute" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role with "action_execute" grant on the action resource belongs to
        user_db = self.users['custom_role_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role - "action_all" grant on the action parent pack the execution belongs to
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action the execution belongs to
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources["rule_enforcement_1"]
        user_db = self.users["admin"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Observer, should always return true for VIEW permission
        user_db = self.users["observer"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # No roles, should return false for everything
        user_db = self.users["no_roles"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with no permission grants, should return false for everything
        user_db = self.users["1_custom_role_no_permissions"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users["custom_role_pack_grant"]
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with with grant on the parent pack
        user_db = self.users["custom_role_rule_pack_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with a direct grant on rule
        user_db = self.users["custom_role_rule_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_3"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users["custom_role_pack_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_all" grant on the rule
        user_db = self.users["custom_role_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users["custom_role_rule_modify_grant"]
        resource_db = self.resources["rule_enforcement_1"]

        # "modify" also grants "view"
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW
            )
        )
示例#26
0
    def test_user_has_resource_permissions(self):
        resolver = RulePermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE)

        # Admin user, should always return true
        resource_db = self.resources['rule_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_DELETE))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_DELETE))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_MODIFY))

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role - "rule_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_MODIFY))

        # "modify" also grants "view"
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_VIEW))

        permission_types = [
            PermissionType.RULE_CREATE,
            PermissionType.RULE_DELETE
        ]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))
示例#27
0
文件: resolvers.py 项目: peak6/st2
    def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
        log_context = {
            'user_db': user_db,
            'resource_db': resource_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        rule_spec = getattr(resource_db, 'rule', None)
        rule_uid = rule_spec.uid
        rule_id = rule_spec.id
        rule_pack = ResourceReference.get_pack(rule_spec.ref)

        if not rule_uid or not rule_id or not rule_pack:
            LOG.error('Rule UID or ID or PACK not present in enforcement object. ' +
                      ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) +
                      'Cannot assess access permissions without it. Defaulting to DENY.')
            return False

        # TODO: Add utility methods for constructing uids from parts
        pack_db = PackDB(ref=rule_pack)
        rule_pack_uid = pack_db.get_uid()

        rule_permission_type = None
        if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
            rule_permission_type = PermissionType.RULE_VIEW
        elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
            rule_permission_type = PermissionType.RULE_LIST
        else:
            raise ValueError('Invalid permission type: %s' % (permission_type))

        permission_types = [PermissionType.RULE_ALL, rule_permission_type]

        view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                                  permission_name='view')

        if rule_permission_type == view_permission_type:
            permission_types = (RulePermissionsResolver.view_grant_permission_types[:] +
                                [rule_permission_type])

        # Check grants on the pack of the rule to which enforcement belongs to
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=rule_pack_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement rule parent pack', extra=log_context)
            return True

        # Check grants on the rule the enforcement belongs to
        resource_types = [ResourceType.RULE]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=rule_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement\'s rule.', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False