def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all')
def test_get_permission_name(self): self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_LIST), "list") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all") self.assertEqual( PermissionType.get_permission_name(PermissionType.PACK_ALL), "all") self.assertEqual( PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), "modify") self.assertEqual( PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), "execute") self.assertEqual( PermissionType.get_permission_name( PermissionType.RULE_ENFORCEMENT_LIST), "list", )
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user( user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' log_context = { 'user_db': user_db, 'permission_type': permission_type, 'resolver': self.__class__.__name__ } self._log('Checking user permissions', extra=log_context) # First check the system role permissions has_system_role_permission = self._user_has_system_role_permission( user_db=user_db, permission_type=permission_type) if has_system_role_permission: self._log('Found a matching grant via system role', extra=log_context) return True # Check custom roles permission_types = [permission_type] # Check direct grants permission_grants = get_all_permission_grants_for_user(user_db=user_db, permission_types=permission_types) if len(permission_grants) >= 1: self._log('Found a direct grant', extra=log_context) return True self._log('No matching grants found', extra=log_context) return False
def _user_has_list_permission(self, user_db, permission_type): """ Common method for checking if a user has specific "list" resource permission (e.g. rules_list, action_list, etc.). """ assert PermissionType.get_permission_name(permission_type) == 'list' return self._user_has_global_permission(user_db=user_db, permission_type=permission_type)
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST), 'list') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), 'modify') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), 'execute') self.assertEqual(PermissionType.get_permission_name(PermissionType.RULE_ENFORCEMENT_LIST), 'list')
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST), 'list') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), 'create') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), 'delete') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), 'all') self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY), 'modify') self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE), 'execute')
def _user_has_system_role_permission(self, user_db, permission_type): """ Check the user system roles and return True if user has the required permission. :rtype: ``bool`` """ permission_name = PermissionType.get_permission_name(permission_type) user_role_dbs = get_roles_for_user(user_db=user_db) user_role_names = [role_db.name for role_db in user_role_dbs] if SystemRole.SYSTEM_ADMIN in user_role_names: # System admin has all the permissions return True elif SystemRole.ADMIN in user_role_names: # Admin has all the permissions return True elif SystemRole.OBSERVER in user_role_names and permission_name == 'view': # Observer role has "view" permission on all the resources return True return False
def _user_has_system_role_permission(self, user_db, permission_type): """ Check the user system roles and return True if user has the required permission. :rtype: ``bool`` """ permission_name = PermissionType.get_permission_name(permission_type) user_role_dbs = get_roles_for_user(user_db=user_db) user_role_names = [role_db.name for role_db in user_role_dbs] if SystemRole.SYSTEM_ADMIN in user_role_names: # System admin has all the permissions return True elif SystemRole.ADMIN in user_role_names: # Admin has all the permissions return True elif SystemRole.OBSERVER in user_role_names and permission_name in READ_PERMISSION_NAMES: # Observer role has "view" permission on all the resources return True return False
def test_get_permission_name(self): self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create") self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete") self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all") self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")