mirror of
https://github.com/GNS3/gns3-server
synced 2024-11-28 19:28:07 +00:00
Check for group ACEs to find user privileges
This commit is contained in:
parent
3e0592520b
commit
f3a4ad49f4
@ -171,6 +171,14 @@ def create_default_roles(target, connection, **kw):
|
|||||||
"description": "View a compute",
|
"description": "View a compute",
|
||||||
"name": "Compute.Audit"
|
"name": "Compute.Audit"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"description": "Install an appliance",
|
||||||
|
"name": "Appliance.Allocate"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "View an appliance",
|
||||||
|
"name": "Appliance.Audit"
|
||||||
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
stmt = target.insert().values(default_privileges)
|
stmt = target.insert().values(default_privileges)
|
||||||
@ -235,7 +243,9 @@ def add_privileges_to_default_roles(target, connection, **kw):
|
|||||||
"Template.Audit",
|
"Template.Audit",
|
||||||
"Symbol.Audit",
|
"Symbol.Audit",
|
||||||
"Image.Audit",
|
"Image.Audit",
|
||||||
"Compute.Audit"
|
"Compute.Audit",
|
||||||
|
"Appliance.Allocate",
|
||||||
|
"Appliance.Audit"
|
||||||
)
|
)
|
||||||
|
|
||||||
add_privileges_to_role(target, connection, "User", user_privileges)
|
add_privileges_to_role(target, connection, "User", user_privileges)
|
||||||
@ -249,7 +259,8 @@ def add_privileges_to_default_roles(target, connection, **kw):
|
|||||||
"Template.Audit",
|
"Template.Audit",
|
||||||
"Symbol.Audit",
|
"Symbol.Audit",
|
||||||
"Image.Audit",
|
"Image.Audit",
|
||||||
"Compute.Audit"
|
"Compute.Audit",
|
||||||
|
"Appliance.Audit"
|
||||||
)
|
)
|
||||||
|
|
||||||
add_privileges_to_role(target, connection, "Auditor", auditor_privileges)
|
add_privileges_to_role(target, connection, "Auditor", auditor_privileges)
|
||||||
|
@ -303,18 +303,8 @@ class RbacRepository(BaseRepository):
|
|||||||
result = await self._db_session.execute(query)
|
result = await self._db_session.execute(query)
|
||||||
log.debug(f"{result.rowcount} ACE(s) have been deleted")
|
log.debug(f"{result.rowcount} ACE(s) have been deleted")
|
||||||
|
|
||||||
async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
|
@staticmethod
|
||||||
|
def _match_path_to_aces(path: str, aces) -> bool:
|
||||||
#TODO: handle when user belong to one or more groups (left join?)
|
|
||||||
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
|
|
||||||
join(models.Privilege.roles).\
|
|
||||||
join(models.Role.acl_entries).\
|
|
||||||
join(models.ACE.user).\
|
|
||||||
filter(models.User.user_id == user_id).\
|
|
||||||
filter(models.Privilege.name == privilege_name).\
|
|
||||||
order_by(models.ACE.path.desc())
|
|
||||||
result = await self._db_session.execute(query)
|
|
||||||
aces = result.all()
|
|
||||||
|
|
||||||
parsed_url = urlparse(path)
|
parsed_url = urlparse(path)
|
||||||
original_path = path
|
original_path = path
|
||||||
@ -327,7 +317,55 @@ class RbacRepository(BaseRepository):
|
|||||||
for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
|
for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
|
||||||
if ace_path == path:
|
if ace_path == path:
|
||||||
if not ace_allowed:
|
if not ace_allowed:
|
||||||
return False
|
raise PermissionError(f"Permission denied for {path}")
|
||||||
if path == original_path or ace_propagate:
|
if path == original_path or ace_propagate:
|
||||||
return True # only allow if the path is the original path or the ACE is set to propagate
|
return True # only allow if the path is the original path or the ACE is set to propagate
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
|
||||||
|
"""
|
||||||
|
Resource paths form a file system like tree and privileges can be inherited by paths down that tree
|
||||||
|
(the propagate field is True by default)
|
||||||
|
|
||||||
|
The following inheritance rules are used:
|
||||||
|
|
||||||
|
* Privileges for individual users always replace group privileges.
|
||||||
|
* Privileges for groups apply when the user is member of that group.
|
||||||
|
* Privileges on deeper levels replace those inherited from an upper level.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# retrieve all user ACEs matching the user_id and privilege name
|
||||||
|
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
|
||||||
|
join(models.Privilege.roles).\
|
||||||
|
join(models.Role.acl_entries).\
|
||||||
|
join(models.ACE.user). \
|
||||||
|
filter(models.User.user_id == user_id).\
|
||||||
|
filter(models.Privilege.name == privilege_name).\
|
||||||
|
order_by(models.ACE.path.desc())
|
||||||
|
|
||||||
|
result = await self._db_session.execute(query)
|
||||||
|
aces = result.all()
|
||||||
|
|
||||||
|
try:
|
||||||
|
if self._match_path_to_aces(path, aces):
|
||||||
|
# the user has an ACE matching the path and privilege,there is no need to check group ACEs
|
||||||
|
return True
|
||||||
|
except PermissionError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
# retrieve all group ACEs matching the user_id and privilege name
|
||||||
|
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
|
||||||
|
join(models.Privilege.roles). \
|
||||||
|
join(models.Role.acl_entries). \
|
||||||
|
join(models.ACE.group). \
|
||||||
|
join(models.UserGroup.users).\
|
||||||
|
filter(models.User.user_id == user_id). \
|
||||||
|
filter(models.Privilege.name == privilege_name)
|
||||||
|
|
||||||
|
result = await self._db_session.execute(query)
|
||||||
|
aces = result.all()
|
||||||
|
|
||||||
|
try:
|
||||||
|
return self._match_path_to_aces(path, aces)
|
||||||
|
except PermissionError:
|
||||||
|
return False
|
||||||
|
Loading…
Reference in New Issue
Block a user