[Kimchi-devel] [PATCH] [Wok 3/3] Allow protecting an resource action (POST) when resource (GET) is not protected

16 Feb 2017

Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com>
---
 src/wok/control/base.py     | 13 +++++++----
 src/wok/control/config.py   |  6 ++---
 tests/test_authorization.py | 57 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 7 deletions(-)
 create mode 100644 tests/test_authorization.py

diff --git a/src/wok/control/base.py b/src/wok/control/base.py
index 3070e53..0791062 100644
--- a/src/wok/control/base.py
+++ b/src/wok/control/base.py
@@ -27,7 +27,7 @@ import urllib2
 
 import wok.template
 from wok.asynctask import save_request_log_id
-from wok.auth import USER_GROUPS, USER_NAME, USER_ROLE
+from wok.auth import wokauth, USER_GROUPS, USER_NAME, USER_ROLE
 from wok.control.utils import get_class_name, internal_redirect, model_fn
 from wok.control.utils import parse_request, validate_method
 from wok.control.utils import validate_params
@@ -91,7 +91,7 @@ class Resource(object):
             raise cherrypy.HTTPRedirect(base_uri % tuple(uri_params), code)
 
     def generate_action_handler(self, action_name, action_args=None,
-                                destructive=False):
+                                destructive=False, protected=None):
         def _render_element(self, ident):
             self._redirect(ident)
             uri_params = []
@@ -104,7 +104,8 @@ class Resource(object):
 
         return self._generate_action_handler_base(action_name, _render_element,
                                                   destructive=destructive,
-                                                  action_args=action_args)
+                                                  action_args=action_args,
+                                                  protected=protected)
 
     def generate_action_handler_task(self, action_name, action_args=None):
         def _render_task(self, task):
@@ -115,10 +116,14 @@ class Resource(object):
                                                   action_args=action_args)
 
     def _generate_action_handler_base(self, action_name, render_fn,
-                                      destructive=False, action_args=None):
+                                      destructive=False, action_args=None,
+                                      protected=None):
         def wrapper(*args, **kwargs):
             # status must be always set in order to request be logged.
             # use 500 as fallback for "exception not handled" cases.
+            if protected is not None and protected:
+                wokauth()
+
             details = None
             status = 500
 
diff --git a/src/wok/control/config.py b/src/wok/control/config.py
index 8da2fc0..a18fff0 100644
--- a/src/wok/control/config.py
+++ b/src/wok/control/config.py
@@ -44,7 +44,7 @@ class Config(Resource):
         self.admin_methods = ['POST']
         self.plugins = Plugins(self.model)
         self.log_map = CONFIG_REQUESTS
-        self.reload = self.generate_action_handler('reload')
+        self.reload = self.generate_action_handler('reload', protected=True)
 
     @property
     def data(self):
@@ -64,8 +64,8 @@ class Plugin(Resource):
         self.admin_methods = ['POST']
         self.uri_fmt = "/config/plugins/%s"
         self.log_map = PLUGIN_REQUESTS
-        self.enable = self.generate_action_handler('enable')
-        self.disable = self.generate_action_handler('disable')
+        self.enable = self.generate_action_handler('enable', protected=True)
+        self.disable = self.generate_action_handler('disable', protected=True)
 
     @property
     def data(self):
diff --git a/tests/test_authorization.py b/tests/test_authorization.py
new file mode 100644
index 0000000..7b7bbcc
--- /dev/null
+++ b/tests/test_authorization.py
@@ -0,0 +1,57 @@
+#
+# Project Wok
+#
+# Copyright IBM Corp, 2014-2017
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA
+
+import unittest
+from functools import partial
+
+from tests.utils import patch_auth
+from tests.utils import request, run_server
+
+test_server = None
+
+
+def setUpModule():
+    global test_server
+
+    patch_auth()
+    test_server = run_server(test_mode=True)
+
+
+def tearDownModule():
+    test_server.stop()
+
+
+class AuthorizationTests(unittest.TestCase):
+    def setUp(self):
+        self.request = partial(request, user='user')
+
+    def test_nonroot_access(self):
+        # Non-root users can not reload wok config
+        resp = self.request('/config', '{}', 'GET')
+        self.assertEquals(200, resp.status)
+        resp = self.request('/config/reload', '{}', 'POST')
+        self.assertEquals(403, resp.status)
+
+        # Non-root users can not enable/disable a plugin
+        resp = self.request('/config/plugins/sample', '{}', 'GET')
+        self.assertEquals(200, resp.status)
+        resp = self.request('/config/plugins/sample/enable', '{}', 'POST')
+        self.assertEquals(403, resp.status)
+        resp = self.request('/config/plugins/sample/disable', '{}', 'POST')
+        self.assertEquals(403, resp.status)
-- 
2.9.3

    