From nobody Wed Jan 15 09:22:01 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of ovirt.org designates 66.187.230.42 as permitted sender) client-ip=66.187.230.42; envelope-from=kimchi-devel-bounces@ovirt.org; helo=lists.ovirt.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of ovirt.org designates 66.187.230.42 as permitted sender) smtp.mailfrom=kimchi-devel-bounces@ovirt.org; Return-Path: Received: from lists.ovirt.org (lists.phx.ovirt.org [66.187.230.42]) by mx.zohomail.com with SMTPS id 1487265727481682.0704820104162; Thu, 16 Feb 2017 09:22:07 -0800 (PST) Received: from lists.phx.ovirt.org (localhost [127.0.0.1]) by lists.ovirt.org (Postfix) with ESMTP id A40B8820673; Thu, 16 Feb 2017 17:22:05 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lists.ovirt.org (Postfix) with ESMTPS id 2ED9982062B for ; Thu, 16 Feb 2017 17:21:06 +0000 (UTC) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v1GHDrgS127741 for ; Thu, 16 Feb 2017 12:21:05 -0500 Received: from e24smtp02.br.ibm.com (e24smtp02.br.ibm.com [32.104.18.86]) by mx0b-001b2d01.pphosted.com with ESMTP id 28new0vgg1-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 16 Feb 2017 12:21:05 -0500 Received: from localhost by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 16 Feb 2017 15:21:03 -0200 Received: from d24dlp01.br.ibm.com (9.18.248.204) by e24smtp02.br.ibm.com (10.172.0.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 16 Feb 2017 15:21:00 -0200 Received: from d24relay04.br.ibm.com (d24relay04.br.ibm.com [9.18.232.146]) by d24dlp01.br.ibm.com (Postfix) with ESMTP id 927FE352006C for ; Thu, 16 Feb 2017 12:20:26 -0500 (EST) Received: from d24av03.br.ibm.com (d24av03.br.ibm.com [9.8.31.95]) by d24relay04.br.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v1GHKxXA35651662 for ; Thu, 16 Feb 2017 15:21:00 -0200 Received: from d24av03.br.ibm.com (localhost [127.0.0.1]) by d24av03.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v1GHL099007867 for ; Thu, 16 Feb 2017 15:21:00 -0200 Received: from alinefm-TP440.ibmmodules.com ([9.80.208.98]) by d24av03.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v1GHKo5B007723 for ; Thu, 16 Feb 2017 15:20:59 -0200 X-Original-To: kimchi-devel@ovirt.org From: Aline Manera To: Kimchi Devel Date: Thu, 16 Feb 2017 15:20:48 -0200 X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170216172048.9442-1-alinefm@linux.vnet.ibm.com> References: <20170216172048.9442-1-alinefm@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17021617-0020-0000-0000-0000028850A1 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17021617-0021-0000-0000-000030A3531D Message-Id: <20170216172048.9442-4-alinefm@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-02-16_13:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1702160162 Subject: [Kimchi-devel] [PATCH] [Wok 3/3] Allow protecting an resource action (POST) when resource (GET) is not protected X-BeenThere: kimchi-devel@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: kimchi-devel-bounces@ovirt.org Errors-To: kimchi-devel-bounces@ovirt.org X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Aline Manera --- src/wok/control/base.py | 13 +++++++---- src/wok/control/config.py | 6 ++--- tests/test_authorization.py | 57 +++++++++++++++++++++++++++++++++++++++++= ++++ 3 files changed, 69 insertions(+), 7 deletions(-) create mode 100644 tests/test_authorization.py diff --git a/src/wok/control/base.py b/src/wok/control/base.py index 3070e53..0791062 100644 --- a/src/wok/control/base.py +++ b/src/wok/control/base.py @@ -27,7 +27,7 @@ import urllib2 =20 import wok.template from wok.asynctask import save_request_log_id -from wok.auth import USER_GROUPS, USER_NAME, USER_ROLE +from wok.auth import wokauth, USER_GROUPS, USER_NAME, USER_ROLE from wok.control.utils import get_class_name, internal_redirect, model_fn from wok.control.utils import parse_request, validate_method from wok.control.utils import validate_params @@ -91,7 +91,7 @@ class Resource(object): raise cherrypy.HTTPRedirect(base_uri % tuple(uri_params), code) =20 def generate_action_handler(self, action_name, action_args=3DNone, - destructive=3DFalse): + destructive=3DFalse, protected=3DNone): def _render_element(self, ident): self._redirect(ident) uri_params =3D [] @@ -104,7 +104,8 @@ class Resource(object): =20 return self._generate_action_handler_base(action_name, _render_ele= ment, destructive=3Ddestructiv= e, - action_args=3Daction_arg= s) + action_args=3Daction_arg= s, + protected=3Dprotected) =20 def generate_action_handler_task(self, action_name, action_args=3DNone= ): def _render_task(self, task): @@ -115,10 +116,14 @@ class Resource(object): action_args=3Daction_arg= s) =20 def _generate_action_handler_base(self, action_name, render_fn, - destructive=3DFalse, action_args=3DN= one): + destructive=3DFalse, action_args=3DN= one, + protected=3DNone): def wrapper(*args, **kwargs): # status must be always set in order to request be logged. # use 500 as fallback for "exception not handled" cases. + if protected is not None and protected: + wokauth() + details =3D None status =3D 500 =20 diff --git a/src/wok/control/config.py b/src/wok/control/config.py index 8da2fc0..a18fff0 100644 --- a/src/wok/control/config.py +++ b/src/wok/control/config.py @@ -44,7 +44,7 @@ class Config(Resource): self.admin_methods =3D ['POST'] self.plugins =3D Plugins(self.model) self.log_map =3D CONFIG_REQUESTS - self.reload =3D self.generate_action_handler('reload') + self.reload =3D self.generate_action_handler('reload', protected= =3DTrue) =20 @property def data(self): @@ -64,8 +64,8 @@ class Plugin(Resource): self.admin_methods =3D ['POST'] self.uri_fmt =3D "/config/plugins/%s" self.log_map =3D PLUGIN_REQUESTS - self.enable =3D self.generate_action_handler('enable') - self.disable =3D self.generate_action_handler('disable') + self.enable =3D self.generate_action_handler('enable', protected= =3DTrue) + self.disable =3D self.generate_action_handler('disable', protected= =3DTrue) =20 @property def data(self): diff --git a/tests/test_authorization.py b/tests/test_authorization.py new file mode 100644 index 0000000..7b7bbcc --- /dev/null +++ b/tests/test_authorization.py @@ -0,0 +1,57 @@ +# +# Project Wok +# +# Copyright IBM Corp, 2014-2017 +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-130= 1 USA + +import unittest +from functools import partial + +from tests.utils import patch_auth +from tests.utils import request, run_server + +test_server =3D None + + +def setUpModule(): + global test_server + + patch_auth() + test_server =3D run_server(test_mode=3DTrue) + + +def tearDownModule(): + test_server.stop() + + +class AuthorizationTests(unittest.TestCase): + def setUp(self): + self.request =3D partial(request, user=3D'user') + + def test_nonroot_access(self): + # Non-root users can not reload wok config + resp =3D self.request('/config', '{}', 'GET') + self.assertEquals(200, resp.status) + resp =3D self.request('/config/reload', '{}', 'POST') + self.assertEquals(403, resp.status) + + # Non-root users can not enable/disable a plugin + resp =3D self.request('/config/plugins/sample', '{}', 'GET') + self.assertEquals(200, resp.status) + resp =3D self.request('/config/plugins/sample/enable', '{}', 'POST= ') + self.assertEquals(403, resp.status) + resp =3D self.request('/config/plugins/sample/disable', '{}', 'POS= T') + self.assertEquals(403, resp.status) --=20 2.9.3 _______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel