From: Leonardo Garcia <lagarcia@br.ibm.com> kimchiauth tool used to only check if the user was authenticated or not. Now it also checks whether the REST API being accessed is only allowed to users with sudo rights. The necessity to have sudo rights to access a REST API can be easily configured through the UrlSubNode decorator. Similar to the support previously implemented for user authentication in UrlSubNode, an additional boolean parameter was added to UrlSubNode to indicate whether the user needs sudo rights in order to access the corresponding REST API. Signed-off-by: Leonardo Garcia <lagarcia@br.ibm.com> --- src/kimchi/auth.py | 13 ++++++++++--- src/kimchi/control/utils.py | 9 ++++++++- src/kimchi/server.py | 7 ++++++- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index e8deb40..ee572cb 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -188,12 +188,19 @@ def logout(): cherrypy.lib.sessions.expire() -def kimchiauth(*args, **kwargs): +def has_permission(admin_methods): + return not admin_methods or \ + cherrypy.request.method not in admin_methods or \ + (cherrypy.request.method in admin_methods and + cherrypy.session[USER_SUDO]) + + +def kimchiauth(admin_methods=None): debug("Entering kimchiauth...") - if check_auth_session(): + if check_auth_session() and has_permission(admin_methods): return - if check_auth_httpba(): + if check_auth_httpba() and has_permission(admin_methods): return if not from_browser(): diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py index ebfdda7..0d7e84a 100644 --- a/src/kimchi/control/utils.py +++ b/src/kimchi/control/utils.py @@ -107,13 +107,20 @@ def validate_params(params, instance, action): class UrlSubNode(object): - def __init__(self, name, auth=False): + + def __init__(self, name, auth=False, admin_methods=None): + """ + admin_methods must be None, or a list containing zero or more of the + string values ['GET', 'POST', 'PUT', 'DELETE'] + """ self.name = name self.auth = auth + self.admin_methods = admin_methods def __call__(self, fun): fun._url_sub_node_name = {"name": self.name} fun.url_auth = self.auth + fun.admin_methods = self.admin_methods return fun diff --git a/src/kimchi/server.py b/src/kimchi/server.py index 1e131b4..6ac2f64 100644 --- a/src/kimchi/server.py +++ b/src/kimchi/server.py @@ -190,7 +190,12 @@ class Server(object): for ident, node in sub_nodes.items(): if node.url_auth: - self.configObj["/%s" % ident] = {'tools.kimchiauth.on': True} + cfg = self.configObj + ident = "/%s" % ident + cfg[ident] = {'tools.kimchiauth.on': True} + if node.admin_methods: + cfg[ident][ + 'tools.kimchiauth.admin_methods'] = node.admin_methods self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env), config=self.configObj) -- 1.8.5.3