本文整理汇总了Python中grouper.models.permission.Permission类的典型用法代码示例。如果您正苦于以下问题:Python Permission类的具体用法?Python Permission怎么用?Python Permission使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了Permission类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_edit_tag
def test_edit_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="[email protected]").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"
user = session.query(User).filter_by(username="[email protected]").scalar()
fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"description": "Don't tag me bro"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Don't tag me bro", "The description should have been updated"示例2: grantable_permissions
def grantable_permissions(session, standard_graph):
perm_grant, _ = Permission.get_or_create(session, name=PERMISSION_GRANT, description="")
perm0, _ = Permission.get_or_create(session, name="grantable", description="")
perm1, _ = Permission.get_or_create(session, name="grantable.one", description="")
perm2, _ = Permission.get_or_create(session, name="grantable.two", description="")
session.commit()
return perm_grant, perm0, perm1, perm2示例3: test_grant_and_revoke
def test_grant_and_revoke(session, standard_graph, graph, groups, permissions,
http_client, base_url):
"""Test that permission grant and revokes are reflected correctly."""
group_name = "team-sre"
permission_name = "sudo"
user_name = "[email protected]"
def _check_graph_for_perm(graph):
return any(map(lambda x: x.permission == permission_name,
graph.permission_metadata[group_name]))
# make some permission admins
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
# grant attempt by non-permission admin
fe_url = url(base_url, "/permissions/grant/{}".format(group_name))
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url, method="POST",
body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
headers={'X-Grouper-User': "[email protected]"})
graph.update_from_db(session)
assert not _check_graph_for_perm(graph), "no permissions granted"
# grant by permission admin
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
headers={'X-Grouper-User': user_name})
assert resp.code == 200
graph.update_from_db(session)
assert _check_graph_for_perm(graph), "permissions granted, successfully"
# figure out mapping_id of grant
permission_id = Permission.get(session, name=permission_name).id
group_id = Group.get(session, name=group_name).id
mapping = session.query(PermissionMap).filter(
PermissionMap.permission_id == permission_id,
PermissionMap.group_id == group_id).first()
# revoke permission by non-admin
fe_url = url(base_url, "/permissions/{}/revoke/{}".format(permission_name, mapping.id))
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
headers={'X-Grouper-User': "[email protected]"})
graph.update_from_db(session)
assert _check_graph_for_perm(graph), "permissions not revoked"
# revoke permission for realz
resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
headers={'X-Grouper-User': user_name})
assert resp.code == 200
graph.update_from_db(session)
assert not _check_graph_for_perm(graph), "permissions revoked successfully"示例4: create_permission
def create_permission(
self, name, description="", audited=False, enabled=True, created_on=None
):
# type: (str, str, bool, bool, Optional[datetime]) -> None
permission = SQLPermission(
name=name, description=description, audited=audited, enabled=enabled
)
if created_on:
permission.created_on = created_on
permission.add(self.session)示例5: post
def post(self):
can_create = self.current_user.my_creatable_permissions()
if not can_create:
return self.forbidden()
form = PermissionCreateForm(self.request.arguments)
if not form.validate():
return self.render(
"permission-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
# A user is allowed to create a permission if the name matches any of the globs that they
# are given access to via PERMISSION_CREATE, as long as the permission does not match a
# reserved name. (Unless specifically granted.)
allowed = False
for creatable in can_create:
if matches_glob(creatable, form.data["name"]):
allowed = True
for failure_message in test_reserved_names(form.data["name"]):
form.name.errors.append(failure_message)
if not allowed:
form.name.errors.append(
"Permission name does not match any of your allowed patterns."
)
if form.name.errors:
return self.render(
"permission-create.html", form=form,
alerts=self.get_form_alerts(form.errors),
)
permission = Permission(name=form.data["name"], description=form.data["description"])
try:
permission.add(self.session)
self.session.flush()
except IntegrityError:
self.session.rollback()
form.name.errors.append(
"Name already in use. Permissions must be unique."
)
return self.render(
"permission-create.html", form=form, can_create=can_create,
alerts=self.get_form_alerts(form.errors),
)
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'create_permission',
'Created permission.', on_permission_id=permission.id)
# No explicit refresh because handler queries SQL.
return self.redirect("/permissions/{}".format(permission.name))示例6: test_permission_grant_to_owners
def test_permission_grant_to_owners(session, standard_graph, groups, grantable_permissions):
"""Test we're getting correct owners according to granted
'grouper.permission.grant' permissions."""
perm_grant, _, perm1, perm2 = grantable_permissions
assert not get_owners_by_grantable_permission(session), "nothing to begin with"
# grant a grant on a non-existent permission
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not get_owners_by_grantable_permission(session), "ignore grants for non-existent perms"
# grant a wildcard grant -- make sure all permissions are represented and
# the grant isn't inherited
grant_permission(groups["all-teams"], perm_grant, argument="grantable.*")
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected, "grants are not inherited"
assert len(owners_by_arg_by_perm) == 2
assert len(owners_by_arg_by_perm[perm1.name]) == 1
assert len(owners_by_arg_by_perm[perm2.name]) == 1
# grant on argument substring
grant_permission(groups["team-sre"], perm_grant, argument="{}/somesubstring*".format(perm1.name))
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
expected = [groups["all-teams"]]
assert owners_by_arg_by_perm[perm1.name]["*"] == expected
expected = [groups["team-sre"]]
assert owners_by_arg_by_perm[perm1.name]["somesubstring*"] == expected
# make sure get_owner() respect substrings
res = [
o for o, a in get_owner_arg_list(session, perm1, "somesubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert (
sorted(res) == sorted([groups["all-teams"], groups["team-sre"]]),
"should include substring wildcard matches",
)
res = [
o for o, a in get_owner_arg_list(session, perm1, "othersubstring", owners_by_arg_by_perm=owners_by_arg_by_perm)
]
assert sorted(res) == [groups["all-teams"]], "negative test of substring wildcard matches"
# permission admins have all the power
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
owners_by_arg_by_perm = get_owners_by_grantable_permission(session)
all_permissions = Permission.get_all(session)
for perm in all_permissions:
assert perm.name in owners_by_arg_by_perm, "all permission should be represented"
assert (
groups["security-team"] in owners_by_arg_by_perm[perm.name]["*"]
), "permission admin should be wildcard owners"示例7: create_permission
def create_permission(session, name, description=""):
# type: (Session, str, Optional[str]) -> Permission
"""Create and add a new permission to database
Arg(s):
session(models.base.session.Session): database session
name(str): the name of the permission
description(str): the description of the permission
Returns:
The created permission that has been added to the session
"""
permission = Permission(name=name, description=description or "")
permission.add(session)
return permission示例8: test_limited_permissions_global_approvers
def test_limited_permissions_global_approvers(session, standard_graph, groups, grantable_permissions,
http_client, base_url):
"""Test that notifications are not sent to global approvers."""
perm_grant, _, perm1, _ = grantable_permissions
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
# one circuit-breaking admin grant, one wildcard grant
grant_permission(groups["sad-team"], perm_admin, argument="")
grant_permission(groups["security-team"], perm_grant, argument="grantable.*")
security_team_members = {name for (t, name) in groups['security-team'].my_members().keys()
if t == 'User'}
# SPECIFIC REQUEST: 'grantable.one', 'specific_arg' for 'sad-team'
groupname = "sad-team"
username = "[email protected]"
fe_url = url(base_url, "/groups/{}/permission/request".format(groupname))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"permission_name": perm1.name, "argument": "specific_arg",
"reason": "blah blah black sheep", "argument_type": "text"}),
headers={'X-Grouper-User': username})
assert resp.code == 200
emails = _get_unsent_and_mark_as_sent_emails(session)
assert len(emails) == 2, "email only sent to security-team"
assert not security_team_members.difference(e.email for e in emails), \
"only security-team members get notification"示例9: filter_grantable_permissions
def filter_grantable_permissions(session, grants, all_permissions=None):
"""For a given set of PERMISSION_GRANT permissions, return all permissions
that are grantable.
Args:
session (sqlalchemy.orm.session.Session); database session
grants ([Permission, ...]): PERMISSION_GRANT permissions
all_permissions ({name: Permission}): all permissions to check against
Returns:
list of (Permission, argument) that is grantable by list of grants
sorted by permission name and argument.
"""
if all_permissions is None:
all_permissions = {permission.name: permission for permission in
Permission.get_all(session)}
result = []
for grant in grants:
assert grant.name == PERMISSION_GRANT
grantable = grant.argument.split('/', 1)
if not grantable:
continue
for name, permission_obj in all_permissions.iteritems():
if matches_glob(grantable[0], name):
result.append((permission_obj,
grantable[1] if len(grantable) > 1 else '*', ))
return sorted(result, key=lambda x: x[0].name + x[1])示例10: revoke_all_service_account_grants
def revoke_all_service_account_grants(self, permission):
# type: (str) -> List[ServiceAccountPermissionGrant]
sql_permission = Permission.get(self.session, name=permission)
if not sql_permission:
return []
grants = (
self.session.query(
ServiceAccountPermissionMap.id,
User.username,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
)
.filter(
User.id == ServiceAccount.user_id,
ServiceAccount.id == ServiceAccountPermissionMap.service_account_id,
PermissionMap.permission_id == sql_permission.id,
)
.all()
)
ids = [g.id for g in grants]
self.session.query(ServiceAccountPermissionMap).filter(
ServiceAccountPermissionMap.id.in_(ids)
).delete(synchronize_session="fetch")
return [
ServiceAccountPermissionGrant(
service_account=g.username,
permission=permission,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
)
for g in grants
]示例11: service_account_grants_for_permission
def service_account_grants_for_permission(self, name):
# type: (str) -> List[ServiceAccountPermissionGrant]
permission = Permission.get(self.session, name=name)
if not permission or not permission.enabled:
return []
grants = (
self.session.query(
User.username,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
ServiceAccountPermissionMap.id,
)
.filter(
ServiceAccountPermissionMap.permission_id == permission.id,
ServiceAccount.id == ServiceAccountPermissionMap.service_account_id,
User.id == ServiceAccount.user_id,
)
.order_by(User.username, ServiceAccountPermissionMap.argument)
)
return [
ServiceAccountPermissionGrant(
service_account=g.username,
permission=name,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
)
for g in grants.all()
]示例12: group_grants_for_permission
def group_grants_for_permission(self, name, include_disabled_groups=False):
# type: (str, bool) -> List[GroupPermissionGrant]
permission = Permission.get(self.session, name=name)
if not permission or not permission.enabled:
return []
grants = (
self.session.query(
Group.groupname, PermissionMap.argument, PermissionMap.id, PermissionMap.granted_on
)
.filter(
PermissionMap.permission_id == permission.id, Group.id == PermissionMap.group_id
)
.order_by(Group.groupname, PermissionMap.argument)
)
if not include_disabled_groups:
grants = grants.filter(Group.enabled == True)
return [
GroupPermissionGrant(
group=g.groupname,
permission=name,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
)
for g in grants.all()
]示例13: revoke_all_group_grants
def revoke_all_group_grants(self, permission):
# type: (str) -> List[GroupPermissionGrant]
sql_permission = Permission.get(self.session, name=permission)
if not sql_permission:
return []
grants = (
self.session.query(
PermissionMap.id, Group.groupname, PermissionMap.argument, PermissionMap.granted_on
)
.filter(
Group.id == PermissionMap.group_id,
PermissionMap.permission_id == sql_permission.id,
)
.all()
)
ids = [g.id for g in grants]
self.session.query(PermissionMap).filter(PermissionMap.id.in_(ids)).delete(
synchronize_session="fetch"
)
return [
GroupPermissionGrant(
group=g.groupname,
permission=permission,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
)
for g in grants
]示例14: user_admin_perm_to_auditors
def user_admin_perm_to_auditors(session, groups):
"""Adds a USER_ADMIN permission to the "auditors" group"""
user_admin_perm, is_new = Permission.get_or_create(session, name=USER_ADMIN,
description="grouper.admin.users permission")
session.commit()
grant_permission(groups["auditors"], user_admin_perm)示例15: test_permission_exclude_inactive
def test_permission_exclude_inactive(session, standard_graph):
"""Ensure disabled groups are excluded from permission data."""
group = Group.get(session, name="team-sre")
permission = Permission.get(session, name="ssh")
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, permission)]
group.disable()
assert "team-sre" not in [g[0] for g in get_groups_by_permission(session, permission)]