From: Aline Manera <alinefm@linux.vnet.ibm.com> For now, Kimchi just supports 2 types of user roles: 'admin' - user has full control of Kimchi features and 'user' with limited access. But in future the idea is to have more and more roles so it is good to already provide the authorization support with that in mind. That way, instead of only returning if user has or not sudo permissions, the /login API will return the user roles. If the user has sudo permissions he/she will have 'admin' role, otherwise, 'user' role. curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "guest", "password": "guest-passwd"}' -X POST {"username": "guest", "roles": ["user"], "groups": []} curl -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8010/login -d'{"username": "sysadmin", "password": "sysadmin-passwd"}' -X POST {"username": "sysadmin", "roles": ["admin"], "groups": []} Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/auth.py | 12 ++++++++---- tests/test_rest.py | 6 ++++++ tests/utils.py | 6 +++--- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index 6a4a610..b1febf0 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -38,6 +38,7 @@ USER_NAME = 'username' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +USER_ROLES = 'roles' REFRESH = 'robot-refresh' @@ -62,7 +63,7 @@ def __init__(self, username): self.user = {} self.user[USER_NAME] = username self.user[USER_GROUPS] = None - self.user[USER_SUDO] = False + self.user[USER_ROLES] = ['user'] def get_groups(self): self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() @@ -74,10 +75,13 @@ def has_sudo(self): p = multiprocessing.Process(target=self._has_sudo, args=(result,)) p.start() p.join() - self.user[USER_SUDO] = bool(result.value) - return self.user[USER_SUDO] + if result.value: + self.user[USER_ROLES] = ['admin'] + return result.value def _has_sudo(self, result): + result.value = False + _master, slave = pty.openpty() os.setsid() fcntl.ioctl(slave, termios.TIOCSCTTY, 0) @@ -94,7 +98,7 @@ def _has_sudo(self, result): self.user[USER_NAME]]) for line in out.split('\n'): if line and re.search("(ALL)", line): - result.value = 1 + result.value = True debug("User %s can run any command with sudo" % result.value) return diff --git a/tests/test_rest.py b/tests/test_rest.py index ad8fc72..ba9431d 100644 --- a/tests/test_rest.py +++ b/tests/test_rest.py @@ -1552,6 +1552,12 @@ def test_auth_session(self): req = json.dumps({'username': user, 'password': pw}) resp = self.request('/login', req, 'POST', hdrs) self.assertEquals(200, resp.status) + + user_info = json.loads(resp.read()) + self.assertEquals(sorted(user_info.keys()), + ['groups', 'roles', 'username']) + self.assertEquals(user_info['roles'], [u'admin']) + cookie = resp.getheader('set-cookie') hdrs['Cookie'] = cookie diff --git a/tests/utils.py b/tests/utils.py index fd9b23c..4853b7a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -157,8 +157,8 @@ def patch_auth(sudo=True): def _get_groups(self): return None - def _has_sudo(self): - return sudo + def _has_sudo(self, result): + result.value = sudo def _authenticate(username, password, service="passwd"): try: @@ -170,7 +170,7 @@ def _authenticate(username, password, service="passwd"): import kimchi.auth kimchi.auth.authenticate = _authenticate kimchi.auth.User.get_groups = _get_groups - kimchi.auth.User.has_sudo = _has_sudo + kimchi.auth.User._has_sudo = _has_sudo def normalize_xml(xml_str): -- 1.9.3