[Kimchi-devel] [PATCH v2 3/4] Enhance UrlSubNode decorator and kimchiauth tool to check for sudo rights.
Leonardo Garcia
lagarcia at linux.vnet.ibm.com
Thu Feb 13 02:28:18 UTC 2014
From: Leonardo Garcia <lagarcia at br.ibm.com>
kimchiauth tool used to only check if the user was authenticated or not.
Now it also checks whether the REST API being accessed is only allowed
to users with sudo rights.
The necessity to have sudo rights to access a REST API can be easily
configured through the UrlSubNode decorator. Similar to the support
previously implemented for user authentication in UrlSubNode, an
additional boolean parameter was added to UrlSubNode to indicate whether
the user needs sudo rights in order to access the corresponding REST
API.
Signed-off-by: Leonardo Garcia <lagarcia at br.ibm.com>
---
src/kimchi/auth.py | 13 ++++++++++---
src/kimchi/control/utils.py | 9 ++++++++-
src/kimchi/server.py | 7 ++++++-
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index e8deb40..ee572cb 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -188,12 +188,19 @@ def logout():
cherrypy.lib.sessions.expire()
-def kimchiauth(*args, **kwargs):
+def has_permission(admin_methods):
+ return not admin_methods or \
+ cherrypy.request.method not in admin_methods or \
+ (cherrypy.request.method in admin_methods and
+ cherrypy.session[USER_SUDO])
+
+
+def kimchiauth(admin_methods=None):
debug("Entering kimchiauth...")
- if check_auth_session():
+ if check_auth_session() and has_permission(admin_methods):
return
- if check_auth_httpba():
+ if check_auth_httpba() and has_permission(admin_methods):
return
if not from_browser():
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index ebfdda7..0d7e84a 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -107,13 +107,20 @@ def validate_params(params, instance, action):
class UrlSubNode(object):
- def __init__(self, name, auth=False):
+
+ def __init__(self, name, auth=False, admin_methods=None):
+ """
+ admin_methods must be None, or a list containing zero or more of the
+ string values ['GET', 'POST', 'PUT', 'DELETE']
+ """
self.name = name
self.auth = auth
+ self.admin_methods = admin_methods
def __call__(self, fun):
fun._url_sub_node_name = {"name": self.name}
fun.url_auth = self.auth
+ fun.admin_methods = self.admin_methods
return fun
diff --git a/src/kimchi/server.py b/src/kimchi/server.py
index 1e131b4..6ac2f64 100644
--- a/src/kimchi/server.py
+++ b/src/kimchi/server.py
@@ -190,7 +190,12 @@ class Server(object):
for ident, node in sub_nodes.items():
if node.url_auth:
- self.configObj["/%s" % ident] = {'tools.kimchiauth.on': True}
+ cfg = self.configObj
+ ident = "/%s" % ident
+ cfg[ident] = {'tools.kimchiauth.on': True}
+ if node.admin_methods:
+ cfg[ident][
+ 'tools.kimchiauth.admin_methods'] = node.admin_methods
self.app = cherrypy.tree.mount(KimchiRoot(model_instance, dev_env),
config=self.configObj)
--
1.8.5.3
More information about the Kimchi-devel
mailing list