def test_get_permission_name(self):
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
'create')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
'delete')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
'all')
self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
'all')
def test_get_permission_name(self):
self.assertEqual(
PermissionType.get_permission_name(PermissionType.ACTION_LIST),
"list")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
"create")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
"delete")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.ACTION_ALL),
"all")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
"modify")
self.assertEqual(
PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
"execute")
self.assertEqual(
PermissionType.get_permission_name(
PermissionType.RULE_ENFORCEMENT_LIST),
"list",
)
def _user_has_list_permission(self, user_db, permission_type):
"""
Common method for checking if a user has specific "list" resource permission (e.g.
rules_list, action_list, etc.).
"""
assert PermissionType.get_permission_name(permission_type) == 'list'
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(
user_db=user_db, permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_list_permission(self, user_db, permission_type):
"""
Common method for checking if a user has specific "list" resource permission (e.g.
rules_list, action_list, etc.).
"""
assert PermissionType.get_permission_name(permission_type) == 'list'
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_list_permission(self, user_db, permission_type):
"""
Common method for checking if a user has specific "list" resource permission (e.g.
rules_list, action_list, etc.).
"""
assert PermissionType.get_permission_name(permission_type) == 'list'
return self._user_has_global_permission(user_db=user_db, permission_type=permission_type)
def test_get_permission_name(self):
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST),
'list')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
'create')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
'delete')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
'all')
self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
'all')
self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
'modify')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
'execute')
self.assertEqual(PermissionType.get_permission_name(PermissionType.RULE_ENFORCEMENT_LIST),
'list')
def test_get_permission_name(self):
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST),
'list')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
'create')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
'delete')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
'all')
self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
'all')
self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
'modify')
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
'execute')
def _user_has_system_role_permission(self, user_db, permission_type):
"""
Check the user system roles and return True if user has the required permission.
:rtype: ``bool``
"""
permission_name = PermissionType.get_permission_name(permission_type)
user_role_dbs = get_roles_for_user(user_db=user_db)
user_role_names = [role_db.name for role_db in user_role_dbs]
if SystemRole.SYSTEM_ADMIN in user_role_names:
# System admin has all the permissions
return True
elif SystemRole.ADMIN in user_role_names:
# Admin has all the permissions
return True
elif SystemRole.OBSERVER in user_role_names and permission_name == 'view':
# Observer role has "view" permission on all the resources
return True
return False
def _user_has_system_role_permission(self, user_db, permission_type):
"""
Check the user system roles and return True if user has the required permission.
:rtype: ``bool``
"""
permission_name = PermissionType.get_permission_name(permission_type)
user_role_dbs = get_roles_for_user(user_db=user_db)
user_role_names = [role_db.name for role_db in user_role_dbs]
if SystemRole.SYSTEM_ADMIN in user_role_names:
# System admin has all the permissions
return True
elif SystemRole.ADMIN in user_role_names:
# Admin has all the permissions
return True
elif SystemRole.OBSERVER in user_role_names and permission_name in READ_PERMISSION_NAMES:
# Observer role has "view" permission on all the resources
return True
return False
def test_get_permission_name(self):
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create")
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete")
self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all")
self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")
