diff options
-rw-r--r-- | cobbler/modules/authz_ownership.py | 38 | ||||
-rw-r--r-- | tests/tests.py | 34 |
2 files changed, 22 insertions, 50 deletions
diff --git a/cobbler/modules/authz_ownership.py b/cobbler/modules/authz_ownership.py index 43cf523..3befc4a 100644 --- a/cobbler/modules/authz_ownership.py +++ b/cobbler/modules/authz_ownership.py @@ -35,7 +35,7 @@ def register(): """ return "authz" -def __parse_config(debug=False): +def __parse_config(): etcfile='/etc/cobbler/users.conf' if not os.path.exists(etcfile): raise CX(_("/etc/cobbler/users.conf does not exist")) @@ -43,29 +43,21 @@ def __parse_config(debug=False): config.read(etcfile) alldata = {} sections = config.sections() - if debug: - print "[OWNERSHIP] sections=%s" % sections for g in sections: alldata[str(g)] = {} opts = config.options(g) - if debug: - print "[OWNERSHIP] for group %s, users: %s" % (g,opts) for o in opts: alldata[g][o] = 1 return alldata -def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False): +def authorize(api_handle,user,resource,arg1=None,arg2=None): """ Validate a user against a resource. All users in the file are permitted by this module. """ - user_groups = __parse_config(debug) - if debug: - print "[OWNERSHIP] ------------" - print "can user %s do %s (arg1=%s)?" % (user,resource,arg1) - print "consult db: %s" % user_groups + user_groups = __parse_config() # classify the type of operation save_or_remove = False @@ -79,29 +71,21 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False): found_user = False for g in user_groups: for x in user_groups[g]: - if debug: - print "[OWNERSHIP] noted user %s in group %s" % (x,g) if x == user: found_user = True # if user is in the admin group, always authorize # regardless of the ownership of the object. if g == "admins" or g == "admin": - if debug: - print "[OWNERSHIP] user %s is an admin, PASS" % user return 1 break if not found_user: # if the user isn't anywhere in the file, reject regardless # they can still use read-only XMLRPC - if debug: - print "[OWNERSHIP] user %s not found in list, FAIL" % user return 0 if not save_or_remove: # sufficient to allow access for non save/remove ops to all # users for now, may want to refine later. - if debug: - print "[OWNERSHIP] user %s is cleared for non-edit ops, PASS" % user return 1 # now we have a save_or_remove op, so we must check ownership @@ -110,8 +94,6 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False): obj = None if resource.find("remove") != -1: - if debug: - print "[OWNERSHIP] looking up object %s" % (arg1) if resource == "remove_distro": obj = api_handle.find_distro(arg1) elif resource == "remove_profile": @@ -121,33 +103,23 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False): elif resource == "remove_repo": obj = api_handle.find_system(arg1) elif resource.find("save") != -1 or resource.find("modify") != -1: - if debug: - print "[OWNERSHIP] object being considered is: %s for %s" % (arg1, resource) obj = arg1 # if the object has no ownership data, allow access regardless if obj.owners is None or obj.owners == []: - if debug: - print "[OWNERSHIP] user %s is cleared, object is not owned, PASS" % user return 1 # otherwise, ownership by user/group for allowed in obj.owners: if user == allowed: # user match - if debug: - print "[OWNERSHIP] user %s in match list, PASS" % user return 1 for group in user_groups: if group == allowed and user in user_groups[group]: - if debug: - print "[OWNERSHIP] user %s matched by group (%s), PASS" % (user, group) return 1 # can't find user or group in ownership list and ownership is defined # so reject the operation - if debug: - print "[OWNERSHIP] user %s rejected by default policy, FAIL" % user return 0 @@ -160,5 +132,5 @@ if __name__ == "__main__": d = api.find_distro("F9B-i386") d.set_owners(["allowed"]) api.add_distro(d) - print authorize(api, "admin1", "save_distro", d, debug=True) - print authorize(api, "basement2", "save_distro", d, debug=True) + print authorize(api, "admin1", "save_distro", d) + print authorize(api, "basement2", "save_distro", d) diff --git a/tests/tests.py b/tests/tests.py index 426ddf2..c3cbea7 100644 --- a/tests/tests.py +++ b/tests/tests.py @@ -126,8 +126,8 @@ class Ownership(BootTest): authorize = authz_module.authorize # if the users.conf file exists, back it up for the tests - #if os.path.exists("/etc/cobbler/users.conf"): - # shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak") + if os.path.exists("/etc/cobbler/users.conf"): + shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak") fd = open("/etc/cobbler/users.conf","w+") fd.write("\n") @@ -151,41 +151,41 @@ class Ownership(BootTest): # same applies to basement1 who is explicitly added as a user # and superlab1 who is in a group in the ownership list for user in ["admin1","superlab1","basement1"]: - self.assertTrue(1==authorize(self.api, user, "save_distro", xo, debug=True),"%s can save_distro" % user) - self.assertTrue(1==authorize(self.api, user, "modify_distro", xo, debug=True),"%s can modify_distro" % user) - self.assertTrue(1==authorize(self.api, user, "copy_distro", xo, debug=True),"%s can copy_distro" % user) - self.assertTrue(1==authorize(self.api, user, "remove_distro", xn, debug=True),"%s can remove_distro" % user) + self.assertTrue(1==authorize(self.api, user, "save_distro", xo),"%s can save_distro" % user) + self.assertTrue(1==authorize(self.api, user, "modify_distro", xo),"%s can modify_distro" % user) + self.assertTrue(1==authorize(self.api, user, "copy_distro", xo),"%s can copy_distro" % user) + self.assertTrue(1==authorize(self.api, user, "remove_distro", xn),"%s can remove_distro" % user) # ensure all users in the file can sync for user in [ "admin1", "superlab1", "basement1", "basement2" ]: - self.assertTrue(1==authorize(self.api, user, "sync", debug=True)) + self.assertTrue(1==authorize(self.api, user, "sync")) # make sure basement2 can't edit (not in group) # and same goes for "dne" (does not exist in users.conf) for user in [ "basement2", "dne" ]: - self.assertTrue(0==authorize(self.api, user, "save_distro", xo, debug=True), "user %s cannot save_distro" % user) - self.assertTrue(0==authorize(self.api, user, "modify_distro", xo, debug=True), "user %s cannot modify_distro" % user) - self.assertTrue(0==authorize(self.api, user, "remove_distro", xn, debug=True), "user %s cannot remove_distro" % user) + self.assertTrue(0==authorize(self.api, user, "save_distro", xo), "user %s cannot save_distro" % user) + self.assertTrue(0==authorize(self.api, user, "modify_distro", xo), "user %s cannot modify_distro" % user) + self.assertTrue(0==authorize(self.api, user, "remove_distro", xn), "user %s cannot remove_distro" % user) # basement2 is in the file so he can still copy - self.assertTrue(1==authorize(self.api, "basement2", "copy_distro", xo, debug=True), "basement2 can copy_distro") + self.assertTrue(1==authorize(self.api, "basement2", "copy_distro", xo), "basement2 can copy_distro") # dne can not copy or sync either (not in the users.conf) - self.assertTrue(0==authorize(self.api, "dne", "copy_distro", xo, debug=True), "dne cannot copy_distro") - self.assertTrue(0==authorize(self.api, "dne", "sync", debug=True), "dne cannot sync") + self.assertTrue(0==authorize(self.api, "dne", "copy_distro", xo), "dne cannot copy_distro") + self.assertTrue(0==authorize(self.api, "dne", "sync"), "dne cannot sync") # unlike the distro testdistro0, testrepo0 is unowned # so any user in the file will be able to edit it. for user in [ "admin1", "superlab1", "basement1", "basement2" ]: - self.assertTrue(1==authorize(self.api, user, "save_repo", ro, debug=True), "user %s can save_repo" % user) + self.assertTrue(1==authorize(self.api, user, "save_repo", ro), "user %s can save_repo" % user) # though dne is still not listed and will be denied - self.assertTrue(0==authorize(self.api, "dne", "save_repo", ro, debug=True), "dne cannot save_repo") + self.assertTrue(0==authorize(self.api, "dne", "save_repo", ro), "dne cannot save_repo") # if we survive, restore the users file as module testing is done - #if os.path.exists("/tmp/cobbler_ubak"): - # shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak") + if os.path.exists("/tmp/cobbler_ubak"): + shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak") class MultiNIC(BootTest): |