[Kimchi-devel] [PATCH v2 3/4] Enhance UrlSubNode decorator and kimchiauth tool to check for sudo rights.

[Leonardo Garcia]

From: Leonardo Garcia <lagarcia at br.ibm.com>

kimchiauth tool used to only check if the user was authenticated or not.
Now it also checks whether the REST API being accessed is only allowed
to users with sudo rights.

The necessity to have sudo rights to access a REST API can be easily
configured through the UrlSubNode decorator. Similar to the support
previously implemented for user authentication in UrlSubNode, an
additional boolean parameter was added to UrlSubNode to indicate whether
the user needs sudo rights in order to access the corresponding REST
API.

Signed-off-by: Leonardo Garcia <lagarcia at br.ibm.com>
---
 src/kimchi/auth.py          | 13 ++++++++++---
 src/kimchi/control/utils.py |  9 ++++++++-
 src/kimchi/server.py        |  7 ++++++-
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index e8deb40..ee572cb 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -188,12 +188,19 @@ def logout():
     cherrypy.lib.sessions.expire()
 
 
-def kimchiauth(*args, **kwargs):
+def has_permission(admin_methods):
+    return not admin_methods or \
+        cherrypy.request.method not in admin_methods or \
+        (cherrypy.request.method in admin_methods and
+            cherrypy.session[USER_SUDO])
+
+
+def kimchiauth(admin_methods=None):
     debug("Entering kimchiauth...")
-    if check_auth_session():
+    if check_auth_session() and has_permission(admin_methods):
         return
 
-    if check_auth_httpba():
+    if check_auth_httpba() and has_permission(admin_methods):
         return
 
     if not from_browser():
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index ebfdda7..0d7e84a 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -107,13 +107,20 @@ def validate_params(params, instance, action):
 
 
 class UrlSubNode(object):
-    def __init__(self, name, auth=False):
+
+    def __init__(self, name, auth=False, admin_methods=None):
+        """
+        admin_methods must be None, or a list containing zero or more of the
+        string values ['GET', 'POST', 'PUT', 'DELETE']
+        """
         self.name = name
         self.auth = auth
+        self.admin_methods = admin_methods
 
     def __call__(self, fun):
         fun._url_sub_node_name = {"name": self.name}
         fun.url_auth = self.auth
+        fun.admin_methods = self.admin_methods
         return fun
 
 
diff --git a/src/kimchi/server.py b/src/kimchi/server.py
index 1e131b4..6ac2f64 100644
--- a/src/kimchi/server.py
+++ b/src/kimchi/server.py
@@ -190,7 +190,12 @@ class Server(object):
 
         for ident, node in sub_nodes.items():
             if node.url_auth:
-                self.configObj["/%s" % ident] = {'tools.kimchiauth.on': True}
+                cfg = self.configObj
+                ident = "/%s" % ident
+                cfg[ident] = {'tools.kimchiauth.on': True}
+                if node.admin_methods:
+                    cfg[ident][
+                        'tools.kimchiauth.admin_methods'] = node.admin_methods
 
         self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
                                        config=self.configObj)
-- 
1.8.5.3