3:28 a.m.
From: Leonardo Garcia <lagarcia(a)br.ibm.com>
kimchiauth tool used to only check if the user was authenticated or not.
Now it also checks whether the REST API being accessed is only allowed
to users with sudo rights.
The necessity to have sudo rights to access a REST API can be easily
configured through the UrlSubNode decorator. Similar to the support
previously implemented for user authentication in UrlSubNode, an
additional boolean parameter was added to UrlSubNode to indicate whether
the user needs sudo rights in order to access the corresponding REST
API.
Signed-off-by: Leonardo Garcia <lagarcia(a)br.ibm.com>
---
src/kimchi/auth.py | 13 ++++++++++---
src/kimchi/control/utils.py | 9 ++++++++-
src/kimchi/server.py | 7 ++++++-
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index e8deb40..ee572cb 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -188,12 +188,19 @@ def logout():
cherrypy.lib.sessions.expire()
-def kimchiauth(*args, **kwargs):
+def has_permission(admin_methods):
+ return not admin_methods or \
+ cherrypy.request.method not in admin_methods or \
+ (cherrypy.request.method in admin_methods and
+ cherrypy.session[USER_SUDO])
+
+
+def kimchiauth(admin_methods=None):
debug("Entering kimchiauth...")
- if check_auth_session():
+ if check_auth_session() and has_permission(admin_methods):
return
- if check_auth_httpba():
+ if check_auth_httpba() and has_permission(admin_methods):
return
if not from_browser():
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index ebfdda7..0d7e84a 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -107,13 +107,20 @@ def validate_params(params, instance, action):
class UrlSubNode(object):
- def __init__(self, name, auth=False):
+
+ def __init__(self, name, auth=False, admin_methods=None):
+ """
+ admin_methods must be None, or a list containing zero or more of the
+ string values ['GET', 'POST', 'PUT', 'DELETE']
+ """
self.name = name
self.auth = auth
+ self.admin_methods = admin_methods
def __call__(self, fun):
fun._url_sub_node_name = {"name": self.name}
fun.url_auth = self.auth
+ fun.admin_methods = self.admin_methods
return fun
diff --git a/src/kimchi/server.py b/src/kimchi/server.py
index 1e131b4..6ac2f64 100644
--- a/src/kimchi/server.py
+++ b/src/kimchi/server.py
@@ -190,7 +190,12 @@ class Server(object):
for ident, node in sub_nodes.items():
if node.url_auth:
- self.configObj["/%s" % ident] = {'tools.kimchiauth.on':
True}
+ cfg = self.configObj
+ ident = "/%s" % ident
+ cfg[ident] = {'tools.kimchiauth.on': True}
+ if node.admin_methods:
+ cfg[ident][
+ 'tools.kimchiauth.admin_methods'] = node.admin_methods
self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
config=self.configObj)
--
1.8.5.3